How to target Security Professionals - Fake exploit POC steals data
Take action: PoC exploits are a great way to study a vulnerability, to even test your own systems. But *make sure* you run the PoC code in an ephemeral and isolated sandbox (something that's isolated from the rest of the world and will be destroyed after the test). Also train yourself to read and understand the PoC code before you deploy it to anything resembling a live system (even if it's a test system).
Learn More
How do you persuade a cybersecurity professional to execute your malware? Claim it's a PoC exploit.
A fake proof of concept (PoC) exploit, masquerading as a Linux vulnerability, has been discovered by cybersecurity researchers. The malware, once executed is installing a Linux password-stealing code.
The fake PoC claims to exploit a high-severity use-after-free flaw, CVE-2023-35829, affecting the Linux kernel before version 6.3.2. However, it is actually a copy of an old, legitimate exploit targeting a different Linux kernel vulnerability, CVE-2022-34918.
The malicious PoC was identified via the irregularities and red flafs such as unexpected outbouns network connections, unauthorized system access attempts and unusual data transfers. Three repositories were found hosting the malicious exploit, two of which have been removed from GitHub, while one remains active. We are not linking to the repo so people can't spread the exploit
The fake PoC has been widely shared within the security research community, possibly already infecting numerous computers.
How the PoC malware works:
- The PoC takes advantage of Linux namespaces, which partition kernel resources, to create the illusion of a root shell while operating within limited privileges in the user namespace. This deception buys more time to the the attackers to navigate the compromised system without being detected or the user just shutting down the affected instance.
- Upon execution, the PoC creates a 'kworker' file and adds its path to the '/etc/bashrc' file to ensure persistence. It then establishes communication with the attacker's command-and-control (C2) server to download and execute a Linux bash script from an external URL. This downloaded script accesses the '/etc/passwd' file to steal valuable data from the system, modifies the '~/.ssh/authorized_keys' file to grant unauthorized remote access to the server, and employs 'curl' to exfiltrate data via 'transfer.sh'. The stolen data includes the victim's username, hostname, and contents of the home directory. Additionally, since the threat actors have remote access to the server, they have the ability to manually steal further data.
- To evade detection, the bash script camouflages its operations as kernel-level processes, as system administrators typically trust them and rarely scrutinize those entries.
If you suspect that you have executed the malicious PoC, these are the mitigation steps:;
- If possible, shut down and destroy the linux instance where you executed the PoC
- If destroying the linux instance is not possible:
- check and remove unauthorized SSH keys
- delete the 'kworker' file
- remove the 'kworker' path from the /etc/bashrc file,
- check '/tmp/.iCE-unix.pid' for potential threats.
- For future reference, test PoCs downloaded from the internet in sandboxed or isolated environments like virtual machines, and inspect the code before execution. Submit suspicious files to VirusTotal is a useful method for identifying potential malware.
The use of fake PoCs to target researchers and threat actors with malware is not a new phenomenon. In recent instances, threat actors impersonated real researchers from reputable cybersecurity companies to distribute malware disguised as zero-day exploits. Researchers have also warned that a significant portion of PoCs hosted on GitHub may contain malware. Notably, North Korean hackers have previously employed fake PoCs shared through social media to target vulnerability researchers and install backdoors.
