Security News > 2024 > June > Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells

Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells
2024-06-06 21:26

Chinese threat actors are targeting ThinkPHP applications vulnerable to CVE-2018-20062 and CVE-2019-9082 to install a persistent web shell named Dama.

The web shell enables further exploitation of the breached endpoints, such as enlisting them as part of the attackers' infrastructure to evade detection in subsequent operations.

ThinkPHP is an open-source web application development framework that is particularly popular in China.

The two flaws are leveraged in this campaign to enable the attackers to perform remote code execution, impacting the underlying content management systems on the target endpoints.

Specifically, the attackers exploit the bugs to download a text file named "Public.txt," which, in reality, is the obfuscated Dama web shell saved as "Roeter.php."

Akamai says the servers delivering the payloads are infected themselves with the same web shell, so it appears that compromised systems are turned into nodes in the attacker's infrastructure.


News URL

https://www.bleepingcomputer.com/news/security/hackers-exploit-2018-thinkphp-flaws-to-install-dama-web-shells/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2019-02-24 CVE-2019-9082 Missing Authentication for Critical Function vulnerability in multiple products
ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command. 		9.3
9.3
2018-12-11 CVE-2018-20062 Improper Input Validation vulnerability in 5None Nonecms 1.3.0
An issue was discovered in NoneCms V1.3.
network
low complexity
5none CWE-20
7.5
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Thinkphp 1 0 1 13 4 18