Cybercriminals always change their tactics, techniques, and procedures (TTPs). These cybersecurity thugs develop new malicious tools to carry out their activities.
A recent case is proof of this strategy. Researchers have noticed a worrying trend wherein hackers exploit known vulnerabilities. One such example is the ThinkPHP RCE vulnerabilities CVE-2018-20062 and CVE-2019-9082.
Cybersecurity experts first noticed the exploitation of the ThinkPHP framework in October 2023. Attackers did some limited probing at the time. But a bigger campaign resurfaced in April 2024. Hackers leveraged these vulnerabilities to install remote shells then. The CVE exploits attempt to download a file named “public.txt” from a Chinese server. Experts believe the server is also compromised.
This malicious file is the “roeter.php.” It opens an obfuscated, password-protected web shell backdoor. Most ThinkPHP attacks originated from Zenlayer cloud IP addresses based in Hong Kong. Experts believe the server hosting the backdoor is also infected. They say this could be a cost-cutting measure and a way to avoid detection by authorities.
The web shell has a Chinese interface. It allows for navigation, file editing, and deletion. The attackers can also change the file system timestamps.
This very sophisticated web shell is “Dama.” Not only does it upload files, but it also collects system information. Dama can also perform port scans and grant database access. It also offers privilege escalation options, like disabling PHP constraints. The payload lacks command-line interface support for direct OS shell commands. This is a feature often found in similar tools.
Cybersecurity consulting services companies recommended upgrading ThinkPHP to version 8.0. Cybersecurity researchers noted that recent attacks have used the advanced “Dama” web shell. It allows for comprehensive victim control. Many of the victims didn’t even use ThinkPHP. This shows the hackers’ indiscriminate targeting. It also highlights the ongoing challenge of detecting and patching vulnerabilities.
