Security researchers and hackers are both in the crosshairs of an unusual lure: malware-laced code touted as proof-of-concept (PoC) script for new, high-profile vulnerabilities.
An unknown threat actor moved quickly last month to commit a fake PoC to their GitHub repository, claiming it was an exploit for a new WinRAR vulnerability made public four days earlier.
As well as being of interest to researchers, such a PoC would be gold for other cybercriminals given its potential to exploit the very popular Windows data compression, encryption, and archiving tool. WinRAR is said to have over 500 million users.
But according to researchers at Palo Alto Networks’ Unit 42, downloading the fake PoC files from GitHub set off an infection chain that eventually installed a VenomRAT remote access trojan payload on the curious party’s machine.
In a Sept. 19 blog post, Unit 42 threat researcher Robert Falcone said the code, posted by a user calling themselves “whalersplonk”, purported to be a PoC for a WinRAR remote code execution (RCE) vulnerability (tracked as CVE-2023-40477) that the Zero Day Initiative publicly reported on Aug. 17.
However, the Python script was actually a tampered version of code copied from a publicly available script for a PoC of an exploit for a SQL injection vulnerability in the GeoServer application (CVE-2023-25157).
Whalersplonk’s repository, first reported on X (formerly Twitter) by researcher @AabyssZG, has now been removed from GitHub.
The repository included a README.md file with information about the WinRAR vulnerability and instructions on using a poc.py script file, also included in the repository.
The poc.py file was based on the open-source GeoServer PoC script, but modified to remove comments and lines of code that made it obvious it was not related to WinRAR.
Code was also added to the file so that when executed, it downloaded a batch script which ran an encoded PowerShell script. That, in turn, led to the download and running of a variant of VenomRAT with keystroke logging capability and connectivity to a command-and-control server.
“We do not think the threat actor created this fake PoC script to specifically target researchers,” Falcone said in his post.
“Rather, it is likely the actors are opportunistic and looking to compromise other miscreants trying to adopt new vulnerabilities into their operations.”
Unit 42’s analysis of when the threat actor created the different elements of the attack supported the theory that they “tried to take advantage of a highly sought-after RCE in WinRAR to compromise others,” he said.
“Based on this timeline, we believe the threat actor had created the infrastructure and payload separately from the fake PoC. Once the vulnerability was publicly released, the actors quickly created the fake PoC to use the severity of an RCE in a popular application like WinRAR to lure in potential victims.”
In July, Uptycs researchers reported another fake PoC which has also since been removed from GitHub.
Uptycs said the malicious PoC, purportedly for exploiting a Linux kernel vulnerability (tracked as CVE-2023-35829), has “been widely shared, achieving significant engagement before its nefarious nature was exposed.” The fake PoC actually deployed a backdoor with “broad data theft capabilities.”
“For those who have executed it, the likelihood of data compromise is high,” Uptycs warned, citing the problem this type of attack posed for researchers.
“As their primary users, security researchers rely on PoCs to understand potential vulnerabilities by way of innocuous testing. In this instance, the PoC is a wolf in sheep's clothing, harboring malicious intent under the guise of a harmless learning tool,” the researchers said.
“Although not entirely new, this trend of spreading malware through PoCs poses a significant concern, and it's likely we’ll see this tactic continue to evolve.”