Researchers from the company Cyble have discovered a malicious campaign on the information security community. In your message
the specialist shared a fake Proof of Concept (PoC) code for the vulnerability of remote code execution RPC Runtime Library Remote Code Execution CVE-2022-26809 with a CVSS rating of 9.8. The malware disguised as a fake PoC code was available on GitHub.
“During further investigation, we discovered that this is malware disguised as an exploit. We also found a malware that is a fake PoC CVE-2022-24500 . Both malicious samples were available on GitHub. Interestingly, both repositories belong to the same profile, which indicates the possibility of an attacker to carry out a cyberattack on the information security community”, – reported Cyble.
According to malware analysis, the exploit is a binary file.Net, packaged with a free open-source protection tool for .ConfuserEx NET applications. The malicious code does not include exploits for vulnerabilities in the fake PoC, but only outputs a fake message about an attempt to exploit vulnerabilities and runs a shell code. The malware executes a PowerShell command using cmd.exe to deliver the actual payload of the Cobalt-Strike Beacon. The attacker can then use the Cobalt-Strike Beacon for additional payloads and perform lateral movements.
“Usually, information security specialists use exploits to check vulnerabilities. Therefore, this malware is aimed only at people from the information security community. Therefore, for members of the cybersecurity community, it is necessary to verify the authenticity of sources before downloading the PoC” – concluded Cyble.