Tags
RansomOps
Attribution
💰Cybercrime
Incidents
RCE Vulnerability in PHP CGI Exploited by TellYouThePass
References
https://www.crowdstrike.com/blog/tellyouthepass-ransomware-analysis-reveals-modern-reinterpretation-using-golang/https://www.imperva.com/blog/update-cve-2024-4577-quickly-weaponized-to-distribute-tellyouthepass-ransomware/
Last edited
Aug 7, 2024 10:42 AM
Status
Finalized
Cloud-fluent
Unique Tools
TellYouThePass ransomware
TellYouThePass Gang has been running the TellYouThePass ransomware campaign since 2019, and is known for exploiting n-day vulnerabilities. The gang uses the Windows mshta.exe binary to run a malicious HTML application (HTA) file containing VBScript with a base64-encoded string. This string decodes into a binary, loading a .NET variant of the ransomware into the host's memory. The ransomware then sends an HTTP request disguised as a CSS resource request to a command-and-control server and encrypts files on the infected machine. A ransom note, "READ_ME10.html," is left on the system with instructions for the victim on how to restore their files.