{
  "name": "Update: CVE-2024-4577 quickly weaponized to distribute Ransomware",
  "slug": "update-cve-2024-4577-quickly-weaponized-to-distribute-ransomware",
  "description": "The report describes an attack campaign leveraging the CVE-2024-4577 vulnerability to deliver the \"TellYouThePass\" ransomware. The attackers use the vulnerability to execute arbitrary PHP code and run a malicious HTML application that loads a .NET variant of the ransomware into memory. Upon execution, the ransomware contacts a command-and-control server, enumerates directories, terminates processes, encrypts files, and leaves a ransom note.",
  "published": "2024-06-11T08:13:05+00:00",
  "created_at": "2024-06-11T08:13:05+00:00",
  "modified_at": "2024-06-11T08:31:46+00:00",
  "created_at_opencti": "2024-06-11T08:13:05+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-06-11",
    "CVE-2024-4577",
    "encryption",
    "exploit",
    "infection",
    "ransomware",
    "tellyouthepass"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "88.218.76.13"
      },
      {
        "id": "",
        "name": "9562ad2c173b107a2baa7a4986825b52e881a935deb4356bf8b80b1ec6d41c53"
      },
      {
        "id": "",
        "name": "5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618"
      },
      {
        "id": "",
        "name": "95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3"
      },
      {
        "id": "",
        "name": "bc1qnuxx83nd4keeegrumtnu8kup8g02yzgff6z53l"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:942ea37267c8ecb9",
        "name": "TellYouThePass",
        "slug": "tellyouthepass"
      }
    ],
    "attack_patterns": [
      {
        "id": "14e5fcd9-c0ff-44f0-8430-d8942ebb832e",
        "name": "T1567.002"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "d9f271ed-7685-4362-b90d-f16a14102f39",
        "name": "T1489"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2024-3577"
      },
      {
        "id": "",
        "name": "CVE-2023-22524"
      },
      {
        "id": "",
        "name": "CVE-2024-4577"
      },
      {
        "id": "",
        "name": "CVE-2023-46604"
      },
      {
        "id": "",
        "name": "CVE-2021-44228"
      }
    ]
  },
  "external_refs": [
    "https://www.imperva.com/blog/update-cve-2024-4577-quickly-weaponized-to-distribute-tellyouthepass-ransomware",
    "https://otx.alienvault.com/pulse/666823317d16a2e82515f9ca"
  ]
}