A cryptocurrency mining campaign targeting vulnerable PHP servers has been identified. The attack exploits misconfigured or unpatched servers, allowing unauthorized access to php-cgi.exe. The malware, initially delivered as dr0p.exe, downloads a secondary payload pkt1.exe, which then spawns packetcrypt.exe to mine PacketCrypt Classic (PKTC) cryptocurrency. The mined coins are sent to a specific wallet address. The attack chain involves multiple stages and uses various techniques to ensure successful execution. Server administrators are advised to patch and audit their web servers to prevent such attacks and mitigate potential performance issues caused by unauthorized crypto mining activities. Author: AlienVault
Related Tags:
AlienVault
Associated Indicators:
D078D8690446E831ACC794EE2DF5DFABCC5299493E7198993149E3C0C33CCB36
7D7C0517ED4F0F909258EDB0F46B66FCCECB8C73
82C7D11916FDFBF24EAE6BF9200A48C9