ThinkPHP Exploit
A researcher at Akamai published an analysis of the ThinkPHP exploit that has activity been seen distributing malware in the wild.
The Akamai researcher came across an unknown payload during network traffic analysis. Analysis of this individual payload led to further research on ThinkPHP vulnerabilities being exploited in the wild. This vulnerability, CVE-2018-20062, when exploited, allows an unauthenticated attacker to perform remote code execution. Additionally, this vulnerability can be exploited on multiple operating systems so it has a wider pool of victims. Based on analysis of various exploit attempts, attackers are using this vulnerability to download and execute malicious payloads on victim hosts.
The payloads vary in purpose but, in general, Linux hosts are joined to a botnet while Windows hosts are infected with cryptomining software, web shells, and password cracking tools. For further details, see https://blogs.akamai.com/sitr/2019/01/thinkphp-exploit-actively-exploited-in-the-wild.html
Indicators of Compromise
IPs
- 167.99.219.142
- 176.123.26.89
- 27.98.193.224
URLs
- http://27.98.193.224:8080/
- http://a46.bulehero.in/download.exe
SHA256
- 8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec
- 1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27
- 8100a67912642350ae935976103d688375f46afab0a3e9ac8a1d05da979c9ac7
- d06419d1b2c5b75ae61b0f165260be98b6280e196cc948640d6decd0e9a44c44
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.