Malware-Laced Proof of Concept Code Targets Researchers and Hackers
WinRAR Vulnerability Exposed
Overt Operator
September 21, 2023
Security researchers and hackers are facing a new and dangerous allure: malware-laced proof of concept (PoC) code for high-profile vulnerabilities. Recently, an unknown threat actor used this tactic by committing a fake PoC to their GitHub repository, claiming it was an exploit for a new WinRAR vulnerability that had been made public a few days earlier.
While researchers are always interested in PoC code, cybercriminals also see its potential to exploit widely-used tools like WinRAR, which boasts over 500 million users. Palo Alto Networks’ Unit 42 researchers discovered that downloading the fake PoC files from GitHub triggered an infection chain that ultimately installed a VenomRAT remote access trojan payload on the user's computer.
In a blog post on September 19, Unit 42 threat researcher Robert Falcone explained that the code, posted by a user known as "whalersplonk," claimed to be a Po/C for a WinRAR remote code execution vulnerability (CVE-2023-40477) that had been publicly reported on August 17 by the Zero Day Initiative. However, the Python script was a manipulated version of code copied from an open-source script for a PoC of a SQL injection vulnerability in the GeoServer application (CVE-2023-25157).
The repository, which was first reported on X (formerly Twitter) by researcher @AabyssZG, has since been removed from GitHub. It contained a README.md file with information on the WinRAR vulnerability and instructions on using a poc.py script file, also included in the repository. The poc.py file was based on the GeoServer PoC script but modified to remove comments and lines of code to hide its true origins.
The script also contained additional code that, when executed, downloaded a batch script that ran an encoded PowerShell script. This led to the download and execution of a variant of VenomRAT, a remote access trojan with keystroke logging capabilities and connectivity to a command-and-control server.
While it is unclear if the threat actor intended to specifically target researchers, Falcone believes that the actors were opportunistic and looking to compromise other cybercriminals trying to adopt new vulnerabilities into their operations.
Unit 42's analysis of the attack suggests that the threat actor tried to take advantage of the high demand for remote code execution in WinRAR vulnerabilities, attempting to deceive unsuspecting users seeking to exploit the WinRAR PoC code.
Researchers and hackers should exercise caution when downloading and executing PoC code from untrusted sources, as it may be manipulated to deliver malware. Vigilance is essential to ensure the security of their systems and avoid falling victim to cyber-attacks.