# Fake WinRAR 0-Day ## CVE-2023-40477? It seems that there are more threat actors that are utilising fake scripts to try and spread malware. {% embed url="" %} In the above report, it states that a user `whalersplonk` has released a fake PoC script for the RCE vulnerability in WinRAR known as CVE-2023-40477. The report was released on September 19, which means that the attacker must've been around for a while before people started noticing. This is very similar to the other scenario I've covered where attackers create fake researcher profiles and releasing 'Discord 0-Days', which are basically `poc.py` scripts that execute some binary to give the threat actors SSH access. In this instance of attacks, the fake Python script installs a VenomRAT payload onto the user's device. The report above is really comprehensive and provides a good summary of the tactics used by this threat actor, including: * Social Engineering * Fake `README.md` files that explain the exploit. * Fake videos created on `streamable.com` (what an odd choice) of the actual exloit working * Editing of scripts * The script is obviously different from the actual script, and there is malicious code which downloads and executes a batch script appended. * Script has also been modified such that the actual script does not run fully, but the malicious parts do. * Uses this link to run a Powershell download command and invoke the batch script * `http://checkblacklistwords[.]eu/check-u/robot?963421355?Ihead=true` * C2 Server * The VenomRAT virus communicates with the above link, suggesting that it is the location of the C2 server. * Keystrokes are logged from this. ## Check Your Code... I find it rather interesting that such methods are being used, where malware is being distributed on Github. This is the second time I've personally seen such a case, but unfortunately I wasn't fast enough to grab the script to analyse how it works for this one D: Anyways, **please check your code before running it**. If you're going to run exploits, always read it first before blindly running it. You can also grab scripts from more reputable Github repositories, because quite likely that a 0-day exploit isn't going to be from a profile created 1 week ago. If you're not going to try to read scripts to understand exploits, at least make sure you don't get wrecked.