Fake WinRAR PoC on GitHub Spreads VenomRAT Malware

A threat actor recently attempted to distribute VenomRAT malware by uploading a fake proof-of-concept (PoC) exploit for a recently fixed WinRAR vulnerability on GitHub.Palo Alto Networks’ Unit 42 team of researchers identified this malicious activity, noting that the attacker published the malicious code on GitHub on August 21, 2023.

Although this attack is no longer active, it serves as a reminder of the potential dangers associated with obtaining PoCs from GitHub and running them without careful scrutiny to ensure their safety.

Fake WinRAR PoC

The Fake WinRAR PoC The counterfeit PoC pertains to the CVE-2023-40477 vulnerability, which is an arbitrary code execution flaw that can be triggered when specially crafted RAR files are opened on versions of WinRAR released before version 6.23.

The Trend Micro Zero Day Initiative discovered this vulnerability and reported it to WinRAR on June 8, 2023. However, they did not publicly disclose it until August 17, 2023. WinRAR promptly addressed the issue in version 6.23, released on August 2.

An actor known as “whalersplonk” wasted no time, taking advantage of the situation by attempting to distribute malware under the guise of an exploit code for the newly discovered WinRAR vulnerability.

“Red teamer” warns about the malicious PoC on Twitter

The threat actor went to great lengths to lend credibility to the malicious package. They included a summary in the README file and a Streamable video demonstrating how to use the PoC.

However, Unit 42’s investigation revealed that the counterfeit Python PoC script was actually a modified version of a publicly available exploit for another vulnerability, CVE-2023-25157. This particular flaw is a critical SQL injection vulnerability affecting GeoServer.

Real PoC (left) and modified script (right) (Unit 42)

When executed, instead of running the exploit, the PoC generates a batch script that downloads an encoded PowerShell script and executes it on the victim’s machine.

This PowerShell script downloads the VenomRAT malware and schedules it to run every three minutes.

VenomRAT Infections

Once VenomRAT infiltrates a Windows device, it initiates a key logger that records all keystrokes and stores them in a local text file.
Subsequently, the malware establishes communication with a command and control (C2) server. From there, it can receive one of nine commands for execution on the compromised device:

1. plu_gin: Activates a registry-stored plugin.
2. HVNCStop: Terminates the “cvtres” process.
3. loadofflinelog: Transmits offline key logger data from %APPDATA%.
4. save_Plugin: Saves a plugin to the registry under a hardware ID.
5. runningapp: Displays active processes.
6. keylogsetting: Updates the key log file in %APPDATA%.
7. init_reg: Deletes subkeys in the Software registry under a hardware ID.
8. Po_ng: Measures the time between sending a PING to the C2 server and receiving this command.
9. filterinfo: Lists installed apps and active processes from the registry.

As the VenomRAT malware can potentially be used to deploy additional payloads and steal credentials, anyone who executed this fake PoC should promptly change their passwords for all the sites and environments where they have accounts.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link