A hacker has been distributing a fabricated proof-of-concept (PoC) exploit for a recently patched WinRAR vulnerability on GitHub, with the aim of infecting individuals who download it with VenomRAT malware.
This deceptive PoC exploit came to the attention of Palo Alto Networks’ Unit 42 research team, who identified that the attacker had uploaded this malicious code to GitHub on August 21, 2023.
Although the attack is no longer operational, it serves as a clear reminder of the dangers associated with acquiring PoCs from GitHub and executing them without conducting thorough security checks.
The spurious PoC relates to the CVE-2023-40477 vulnerability, an arbitrary code execution flaw triggered when specially crafted RAR files are opened on WinRAR versions before 6.23.
A threat actor using the alias “whalersplonk” wasted no time, moving swiftly within just four days to exploit this opportunity by disguising malware as exploit code for the new WinRAR vulnerability.
The attacker went to great lengths, providing a summary in the README file and even including a Streamable video illustrating how to use the PoC, further enhancing the apparent legitimacy of the malicious package.
Upon execution, instead of triggering the exploit, the PoC generates a batch script that downloads an encoded PowerShell script and subsequently executes it on the host. This PowerShell script, in turn, fetches the VenomRAT malware and sets up a scheduled task to run it every three minutes.
Once VenomRAT infiltrates a Windows system, it initiates a keylogger, meticulously recording all keystrokes and storing them in a local text file. Subsequently, the malware establishes communication with a command-and-control (C2) server.
Given that VenomRAT can serve as a platform for deploying additional malicious payloads and stealing credentials, individuals who inadvertently executed this fraudulent PoC should promptly update their passwords for all their online accounts and environments.
The timeline provided by Unit 42 suggests that the threat actor had laid the groundwork for the attack and the associated payload well before the public disclosure of the WinRAR vulnerability. They seemingly waited for the opportune moment to craft a deceptive PoC.
This scenario implies that the same threat actor may exploit the heightened attention of the security community surrounding newly discovered vulnerabilities to distribute other deceptive PoCs for various exploits in the future.
The proliferation of bogus PoCs on GitHub is a well-documented tactic used by threat actors, targeting both cybercriminals and security researchers alike.
In late 2022, researchers uncovered thousands of GitHub repositories promoting counterfeit PoC exploits for various vulnerabilities, many of which harbored malware, malicious PowerShell scripts, concealed info-stealer downloaders, and Cobalt Strike droppers.
More recently, in June 2023, attackers posing as cybersecurity researchers released multiple fake 0-day exploits, specifically targeting Linux and Windows systems with malware.