It seems that there are more threat actors that are utilising fake scripts to try and spread malware.
In the above report, it states that a user whalersplonk
has released a fake PoC script for the RCE vulnerability in WinRAR known as CVE-2023-40477. The report was released on September 19, which means that the attacker must've been around for a while before people started noticing.
This is very similar to the other scenario I've covered where attackers create fake researcher profiles and releasing 'Discord 0-Days', which are basically poc.py
scripts that execute some binary to give the threat actors SSH access.
In this instance of attacks, the fake Python script installs a VenomRAT payload onto the user's device. The report above is really comprehensive and provides a good summary of the tactics used by this threat actor, including:
Social Engineering
Fake README.md
files that explain the exploit.
Fake videos created on streamable.com
(what an odd choice) of the actual exloit working
Editing of scripts
The script is obviously different from the actual script, and there is malicious code which downloads and executes a batch script appended.
Script has also been modified such that the actual script does not run fully, but the malicious parts do.
Uses this link to run a Powershell download command and invoke the batch script
http://checkblacklistwords[.]eu/check-u/robot?963421355?Ihead=true
C2 Server
The VenomRAT virus communicates with the above link, suggesting that it is the location of the C2 server.
Keystrokes are logged from this.
I find it rather interesting that such methods are being used, where malware is being distributed on Github. This is the second time I've personally seen such a case, but unfortunately I wasn't fast enough to grab the script to analyse how it works for this one D:
Anyways, please check your code before running it. If you're going to run exploits, always read it first before blindly running it. You can also grab scripts from more reputable Github repositories, because quite likely that a 0-day exploit isn't going to be from a profile created 1 week ago.
If you're not going to try to read scripts to understand exploits, at least make sure you don't get wrecked.