What is the malicious campaign discovered by Trend Micro?

The campaign targets security researchers by distributing a malicious proof-of-concept exploit for a recently patched Windows LDAP vulnerability (CVE-2024-49113) through a deceptive GitHub repository.

How does the malicious code work?

The attackers replaced legitimate Python files with a UPX-packed executable (poc.exe) that initiates an infection chain. When executed, it drops a PowerShell script in the victim's %Temp% folder and creates a scheduled job for persistence.

How did the attackers leverage confusion about CVE numbers?

The attackers exploited confusion arising from SafeBreach Labs' initial blog post incorrectly referencing CVE-2024-49112 (a critical RCE vulnerability) instead of CVE-2024-49113 (a DoS vulnerability). This mistake generated increased interest in the exploit.

What best practices does Trend Micro recommend when working with external code?

Trend Micro recommends downloading code only from trusted repositories, verifying repository ownership, reviewing commit history, being wary of limited community engagement, reviewing code before execution, running code in virtual machines, uploading binaries to VirusTotal, and avoiding obfuscated code.

What was the original vulnerability that attackers exploited for this campaign?

The campaign exploits interest in CVE-2024-49113, a Windows LDAP vulnerability patched in Microsoft's December 2024 update. The original vulnerability was a denial-of-service issue that could allow attackers to crash the LDAP service.

Knowledge

Fake exploit PoC for LDAPNightmare flaw used to spread infostealer malware

Q: What data does the malware attempt to steal?

The malware steals sensitive system information including computer details, process lists, directory listings, network IPs, network adapter configurations, and installed system updates. The stolen data is compressed into a ZIP file and uploaded to an external FTP server.

published: Jan. 13, 2025

Take action: This is an excellent reminder on handling external code - download code only from official and trusted repositories, verify repository ownership, be wary of repositories with limited community engagement, review commit history for obvious injectons, run code on virtual machine and avoid any obfuscated code.

Learn More

Trend Micro has reported a new malicious campaign targeting security researchers through a deceptive proof-of-concept exploit.

The campaign capitalizes on interest in a recently patched Windows LDAP vulnerability (CVE-2024-49113) that Microsoft addressed in their December 2024 Patch Tuesday release. The original vulnerability is a denial-of-service issue that could allow attackers to crash the LDAP service, leading to service disruptions.

The threat actors created a malicious GitHub repository containing what appears to be a forked version of SafeBreach Labs' legitimate PoC exploit. The attackers replaced the original Python files with a UPX-packed executable named poc.exe. When executed, this malware initiates a sophisticated infection chain that begins with dropping a PowerShell script in the victim's %Temp% folder and creating a scheduled job for persistence.

The malware's primary purpose is data theft, with the capability to exfiltrate sensitive system information including computer details, process lists, directory listings, network IPs, network adapter configurations, and installed system updates. This stolen data is compressed into a ZIP file and uploaded to an external FTP server using hardcoded credentials.

The attack's success partially stems from confusion around two related CVEs. While SafeBreach Labs' PoC was for CVE-2024-49113 (a DoS vulnerability), their initial blog post incorrectly referenced CVE-2024-49112 (a critical RCE vulnerability). This mistake generated increased interest in the exploit, which the attackers sought to leverage.

Security researchers and professionals are advised to exercise extreme caution when downloading and executing PoC exploits. Trend Micro recommends several best practices when working with external code:

download code only from official and trusted repositories
verify repository ownership
review commit history - don't trust fresh or one commit repos,
be wary of repositories with limited community engagement,
run code on virtual machine
Upload binaries to VirusTotal for analysis,
Avoid any obfuscated code

Fake exploit PoC for LDAPNightmare flaw used to spread infostealer malware

Read More
State of (in)security - Week 41, 2023
Step by Step Example - "Hacker" sextortion scam …
State of (in)security - Week 30, 2024
State of (in)security - Week 33, 2023
State of (in)security - Week 29, 2024