A recent malware campaign targeting the CVE-2023-40477 vulnerability in WinRAR has been discovered by security researchers at Palo Alto Networks. This campaign involves a fake proof-of-concept (PoC) script that tricks researchers into downloading and executing a VenomRAT payload [3].
Description
The script [4], uploaded on GitHub by a hacker named “whalersplonk,” is a modified version of an exploit for another vulnerability, CVE-2023-25157 [2] [3] [4] [6] [7], which affects GeoServer. The hacker disguised the VenomRAT malware as exploit code within the fake PoC script. When the PoC is run [5], it downloads an encoded PowerShell script that activates the VenomRAT malware [7]. Additionally, the PowerShell script creates a scheduled task to run the malware every three minutes for persistence.
VenomRAT is a remote access trojan (RAT) that operates as a keylogger and establishes a connection with a command and control server. Palo Alto Networks researchers suspect that the threat actor behind this campaign planned the attack before the vulnerability was publicly disclosed and may continue to spread misleading PoCs in the future.
This incident highlights the risks of sourcing PoCs from GitHub without additional scrutiny [7], as fake PoCs on GitHub are a known attack method used by threat actors to target criminals and security researchers [7]. Users who executed the fake PoC should change their passwords for all accounts [5] [6] [7].
Conclusion
This incident sheds light on a new trend in cybercrime where threat actors trojanize vulnerabilities by creating fictitious PoC exploits [1]. It poses a significant challenge for security researchers and users in differentiating between authentic and malicious PoCs [1]. Moving forward, it is crucial for users to exercise caution when sourcing PoCs from GitHub and to implement additional scrutiny to mitigate the risks associated with fake PoCs.
References
[1] https://cybersecurity-see.com/fake-winrar-proof-of-concept-poc-exploit-hides-venomrat-malware/
[2] https://securnerd.com/deceptive-winrar-exploit-carries-venomrat-payload/
[3] https://www.hackread.com/fake-poc-script-researchers-download-venomrat/
[4] https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/
[5] https://vulnera.com/newswire/venomrat-malware-disguised-as-winrar-exploit-on-github/
[6] https://cyber.vumetric.com/security-news/2023/09/20/fake-winrar-proof-of-concept-exploit-drops-venomrat-malware/
[7] https://topglobenews.com/tech/fake-winrar-proof-of-concept-exploit-drops-venomrat-malware/
