{"id":3006,"date":"2025-03-23T12:37:23","date_gmt":"2025-03-23T12:37:23","guid":{"rendered":"https:\/\/aegislens.com\/home\/?p=3006"},"modified":"2025-03-23T12:37:23","modified_gmt":"2025-03-23T12:37:23","slug":"uncovering-how-hackers-use-php-vulnerabilities-to-launch-quasar-rat-and-xmrig-miners","status":"publish","type":"post","link":"https:\/\/aegislens.com\/home\/uncovering-how-hackers-use-php-vulnerabilities-to-launch-quasar-rat-and-xmrig-miners\/","title":{"rendered":"Uncovering How Hackers Use PHP Vulnerabilities to Launch Quasar RAT and XMRig Miners"},"content":{"rendered":"

Cybereason recently found evidence that this PHP flaw enables the deployment of Quasar RAT and XMRig miners.<\/p>\n

This article reports what we know thus far and provides critical practical advice for cybersecurity professionals.<\/p>\n

The Breach: How it Happens<\/h2>\n<\/p>\n

The PHP flaw (CVE-2024-4577) attackers exploit is an argument injection vulnerability.<\/p>\n

This it stems from incorrect handling of Windows command line arguments when PHP operates in CGI mode.<\/p>\n

With successful exploitation, malicious actors could cause arbitrary code execution in affected systems.<\/p>\n

Quasar RAT and XMRig Miners Involved<\/h2>\n<\/p>\n

In Cybereason\u2019s discovery, hackers used this PHP flaw to deploy Quasar RAT, a fully capable, open-source RAT developed for Windows that leverages TCP protocol for communication between the client and the server.<\/p>\n

With Quasar, hackers can remotely administer and monitor infected systems, keystroke logging, and exfiltrate sensitive data.<\/p>\n

Moreover, they found XMRig Miner deployment, open-source, cross-platform software used for mining Monero cryptocurrency.<\/p>\n

By infecting systems with XMRig, attackers subtly siphon processing power, deploying a “cryptojacking” operation to mine cryptocurrency without the victim’s knowledge.<\/p>\n

The Implications<\/h2>\n<\/p>\n

This exploit threatens any Windows-based system running PHP in CGI mode.<\/p>\n

With the sheer volume of PHP-based applications and websites, the potential damage could be extensive.<\/p>\n

The illicit use of system resources for cryptocurrency mining can degrade system performance and increase electricity costs, while a Quasar RAT infection could lead to devastating data breaches.<\/p>\n

Practical Advice for Cybersecurity Professionals<\/h2>\n<\/p>\n

Firstly, security teams should ensure timely software patching to guard against known vulnerabilities.<\/p>\n

PHP’s official website provides updates and patches, and in this specific incident, the vulnerability has been addressed in PHP 7.2.34, 7.3.23, and 7.4.11.<\/p>\n

Furthermore, cybersecurity teams should monitor for abnormal system performance, unusual outbound network traffic, and unfamiliar processes.<\/p>\n

Signs like these could indicate an ongoing XMRig Miner or Quasar RAT infection.<\/p>\n

Conclusion<\/h2>\n<\/p>\n

This exploit serves as a sobering reminder of the relentless creativity of cyber threats and the importance of maintaining a robust cybersecurity infrastructure that includes keeping software up-to-date and actively monitoring for unusual activity.<\/p>\n

Follow-Up Reading<\/h3>\n