Legitimate PoC exploited to spread information stealer

Legitimate PoC exploited to spread information stealer Legitimate PoC exploited to spread information stealer

A recently copied and abused open source proof of concept (PoC) exploit from a reputable security company, aimed at helping threat researchers, is the latest example of the novel tactics hackers will use to spread malware.

PoCs for known vulnerabilities are created to be shared by students, researchers, and IT pros to improve software and toughen defenses. The danger is that anything posted on the internet can be abused.

CSOonline reported on the original — and safe — PoC exploit, LDAPNightmare, created by SafeBreach for a vulnerability in Windows Lightweight Directory Access Protocol (LDAP) on Jan. 3. Today, however, Trend Micro said it has found a malicious version of that PoC sitting on GitHub.

In an interview, Tomer Bar, SafeBreach’s vice-president of security research, stressed that the company’s PoC wasn’t compromised, but was copied and manipulated. The original proof of concept exploit was published on SafeBreach’s official GitHub site.

“We always publish full open-source” code, he added, “so people can verify that it’s valid and not malicious.”

“The malicious repository containing the PoC appears to be a fork from the original creator,” Trend Micro said in its report. “In this case, the original Python files were replaced with the executable poc[dot]exe that was packed using UPX.”

Fortunately, the presence of an executable file in a Python-based project was a clue for experienced infosec pros that something was awry.

A ‘classic Trojan horse’

The bad repository has since been taken down. But its discovery is another example of why anyone in IT should be careful of downloading code from anywhere, including an open source repository, said David Shipley, CEO of Canadian awareness training firm Beauceron Security.

“Trojan’s gonna Trojan,” he said in an interview, describing the attempt to lure the unprepared as a “classic social engineering strategy.”

“This is the classic Trojan Horse: You go looking for a legitimate, research-based PoC and you get one that looks like the PoC, but you get one with an executable.”

The reason why threat actors are increasingly using this tactic, he said, is because it works. Among the defences: Test the proof of concept in an isolated computer environment.

“Any code from the web should be treated as massively unhygienic until you know it’s safe,” Shipley added.

Not a new tactic

The tactic of using a PoC to hide malware or a backdoor isn’t new. In 2023, for example, Uptycs reported on a widely-shared malicious proof of concept on GitHub purporting to address the critical Linux kernel vulnerability CVE-2023-35829. And according to a 2022 study by researchers at Cornell University into GitHub-hosted PoCs, almost 2% of the 47,285 repositories it examined had indicators of malicious intent. “This figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub,” the study concluded  — and that was over two years ago.

Last fall, SonicWall released a another report on the rise of malicious PoCs. “While security researchers are often very well equipped to handle and detect this situation,” it concluded, “it is easy to become overconfident, leading to compromise.”

Only use trusted repositories

Cybersecurity professionals, including blue and red teams, should only download content from trusted open source repositories that have a lot of stars, SafeBreach’s Bar said, and never download executables from untrusted sources.

In addition, Trend Micro advised IT workers to:

  • always download code, libraries, and dependencies from official and trusted repositories;
  • be cautious of repositories with suspicious content that may seem out of place for the tool or application it is supposedly hosting;
  • if possible, confirm the identity of the repository owner or organization; 
  • review the repository’s commit history and recent changes for anomalies or signs of malicious activity; 
  • be cautious of repositories with very few stars, forks, or contributors, especially if they claim to be widely used; 
  • look for reviews, issues, or discussions about the repository to identify potential red flags. 
Add a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use