Hackers attack HFS servers to drop malware and Monero miners

Share:

Hackers are targeting older versions of the HTTP File Server (HFS) from Rejetto to drop malware and cryptocurrency mining software.

Threat researchers at security company AhnLab believe that the threat actors are exploiting CVE-2024-23692, a critical-severity security issue that allows executing arbitrary commands without the need to authenticate.

The vulnerability affects versions of the software up to and including 2.3m. In a message on their website, Rejetto warns users that versions 2.3m through 2.4 are “dangerous and should not be used anymore” because of a bug that lets attackers “control your computer,” and a fix has yet to be found.

Observed attacks

AhnLab SEcurity Intelligence Center (ASEC) observed attacks on version 2.3m of HFS, which continues to be very popular among individual users, small teams, educational institutions, and developers that want to test file sharing over a network.

Because of the targeted software version, the researchers believe that attackers are exploiting CVE-2024-23692, a vulnerability discovered by security researcher Arseniy Sharoglazov last August and disclosed publicly in a technical report in May this year.

CVE-2024-23692 is a template injection vulnerability that allows unauthenticated remote attackers to send a specially crafted HTTP request to execute arbitrary commands on the affected system.

Soon after the disclosure, a Metasploit module and proof of concept exploits became available. According to ASEC, this is around the time exploitation in the wild started.

The researchers say that during the attacks the hackers collect information about the system, install backdoors and various other types of malware.

Attackers execute commands like “whoami” and “arp” to gather information about the system and the current user, discover connected devices, and generally plan subsequent actions.

In many cases, the attackers terminate the HFS process after they add a new user to the administrators’ group, to prevent other threat actors from using it.

In the next phases of the attacks, ASEC observed the installation of the XMRig tool for mining Monero cryptocurrency. The researchers note that XMRig was deployed in at least four distinct attacks, one conducted of them attributed to the LemonDuck threat group.

Other payloads delivered to the compromised computer include:

  • XenoRAT – Deployed alongside XMRig for remote access and control.
  • Gh0stRAT – Used for remote control and data exfiltration from breached systems.
  • PlugX – A backdoor mostly associated with Chinese-speaking threat actors that is used for persistent access.
  • GoThief – An information stealer that uses Amazon AWS to steal data. It captures screenshots, collects information on desktop files, and sends data to an external command and control (C2) server.

AhnLab researchers note that they keep detecting attacks on version 2.3m of HFS. Because the server needs to be exposed online for the file sharing to be possible, hackers will like continue looking for vulnerable versions to attack.

The recommended variant of the product is 0.52.x, which, despite being a lower version, is currently the latest HFS release from the developer. It is web-based, requires minimal configuration, comes with support for HTTPS, dynamic DNS, and authentication for the administrative panel.

The company provides a set of indicators of compromise in the report, which include hashes for the malware installed on breached systems, IP addresses for attacker command and control servers, and the download URLs for the malware used in the attacks.

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
London, GB
2:48 am, Jul 11, 2025
weather icon 19°C
L: 17° | H: 19°
broken clouds
Humidity: 77 %
Pressure: 1021 mb
Wind: 5 mph E
Wind Gust: 0 mph
UV Index: 0
Precipitation: 0 mm
Clouds: 60%
Rain Chance: 0%
Visibility: 10 km
Sunrise: 4:56 am
Sunset: 9:15 pm
DailyHourly
Daily ForecastHourly Forecast
Today 10:00 pm
weather icon
17° | 19°°C 0 mm 0% 8 mph 78 % 1021 mb 0 mm/h
Tomorrow 10:00 pm
weather icon
19° | 30°°C 0 mm 0% 10 mph 66 % 1019 mb 0 mm/h
Sun Jul 13 10:00 pm
weather icon
18° | 30°°C 0 mm 0% 7 mph 71 % 1015 mb 0 mm/h
Mon Jul 14 10:00 pm
weather icon
18° | 28°°C 1 mm 100% 15 mph 84 % 1016 mb 0 mm/h
Tue Jul 15 10:00 pm
weather icon
14° | 20°°C 1 mm 100% 14 mph 81 % 1017 mb 0 mm/h
Today 4:00 am
weather icon
16° | 19°°C 0 mm 0% 3 mph 78 % 1021 mb 0 mm/h
Today 7:00 am
weather icon
19° | 19°°C 0 mm 0% 2 mph 74 % 1021 mb 0 mm/h
Today 10:00 am
weather icon
24° | 27°°C 0 mm 0% 2 mph 56 % 1021 mb 0 mm/h
Today 1:00 pm
weather icon
30° | 30°°C 0 mm 0% 3 mph 32 % 1020 mb 0 mm/h
Today 4:00 pm
weather icon
32° | 32°°C 0 mm 0% 4 mph 26 % 1018 mb 0 mm/h
Today 7:00 pm
weather icon
30° | 30°°C 0 mm 0% 6 mph 29 % 1017 mb 0 mm/h
Today 10:00 pm
weather icon
23° | 23°°C 0 mm 0% 8 mph 49 % 1019 mb 0 mm/h
Tomorrow 1:00 am
weather icon
21° | 21°°C 0 mm 0% 5 mph 57 % 1019 mb 0 mm/h
Name Price24H (%)
Bitcoin(BTC)
€99,078.70
4.24%
Ethereum(ETH)
€2,519.22
6.27%
Tether(USDT)
€0.85
-0.03%
XRP(XRP)
€2.18
5.25%
Solana(SOL)
€140.59
4.61%
USDC(USDC)
€0.85
-0.01%
Dogecoin(DOGE)
€0.167208
8.35%
Shiba Inu(SHIB)
€0.000011
7.89%
Pepe(PEPE)
€0.000010
12.91%
Peanut the Squirrel(PNUT)
€0.244588
21.42%
Scroll to Top