On GitHub, a cybercriminal has released a misleading proof-of-concept (PoC) exploit targeting a recent WinRAR vulnerability. This deceptive exploit is primarily designed to deliver the VenomRAT malware to unsuspecting users.
This deceptive PoC was detected by the research team at Palo Alto Networks’ Unit 42, who confirmed that the malicious code was uploaded to GitHub on August 21, 2023. Although the attack has ceased, it underscores the importance of thoroughly vetting PoCs sourced from GitHub before execution.
Details on the WinRAR Exploit
The deceptive PoC targets the CVE-2023-40477 vulnerability. This flaw allows for arbitrary code execution when users open a specially engineered RAR file using versions of WinRAR prior to 6.23.
It was Trend Micro’s Zero Day Initiative that initially identified and relayed this vulnerability to WinRAR on June 8, 2023. The public was made aware of it on August 17, 2023, with WinRAR having already issued a patch in their version 6.23 on August 2.
Capitalizing on this, a cyber actor with the alias “whalersplonk” rapidly distributed malware by disguising it as an exploit code for this WinRAR vulnerability.
Alarming Findings on the Deceptive PoC
Adding to its facade of authenticity, the attacker included both a summary in the README and an instructional video. But upon investigation by Unit 42, the false Python PoC script was discovered to be a tweaked version of an open-source exploit for another vulnerability, CVE-2023-25157, which affects GeoServer.
Rather than executing the expected exploit, the deceptive PoC initiates a batch script, which subsequently downloads and executes an encoded PowerShell script. This script then fetches and installs the VenomRAT malware, scheduling its execution every three minutes.
Implications of VenomRAT Deployment
Upon activation on a Windows system, VenomRAT initiates a key logger, cataloging every keystroke and saving it locally.
Furthermore, the malware establishes contact with its command and control server, enabling it to execute one of nine specific commands. The capabilities range from activating plugins, killing processes, updating log files, to querying and managing apps and processes.
Due to its potential in delivering other malicious payloads and capturing credentials, individuals who ran this deceptive PoC are advised to promptly change their passwords across platforms.
Unit 42’s detailed event timeline indicates that this attacker likely set up the required infrastructure in anticipation of the public WinRAR vulnerability disclosure. This strategic foresight suggests the attacker could again exploit the security community’s keen interest in newly exposed vulnerabilities by introducing misleading PoCs for other vulnerabilities.
Such deceptive PoCs on GitHub have been previously documented. These are schemes where cybercriminals target both fellow criminals and security professionals.
To illustrate, in 2022, investigators identified numerous GitHub repositories promoting misleading PoC exploits for a range of vulnerabilities. Many carried malicious payloads, from malware to concealed downloaders.
More recently, in June 2023, adversaries masquerading as cybersecurity specialists published counterfeit 0-day exploits that aimed at Linux and Windows systems, delivering malware to them.