Researchers uncovered a malware campaign targeting the infoSec community with fake Proof Of Concept to deliver a Cobalt Strike beacon.

Researchers from threat intelligence firm Cyble uncovered a malware campaign targeting the infoSec community. The expert discovered a post where a researcher were sharing a fake Proof of Concept (POC) exploit code for an RPC Runtime Library Remote Code Execution flaw (CVE-2022-26809 CVSS 9.8). The malware, disguised as a fake PoC code, was available on GitHub.

Alert !!! This PoC is fake do not run it. You will get a backdoor https://t.co/MFrXjCyZBm— Tuan Anh Nguyen (@haxor31337) May 19, 2022“Upon further investigation, we discovered that it’s malware disguised as an Exploit. Similarly, we found a malicious sample that appears to be a fake POC of CVE-2022-24500.” reads the post published by Cyble. “Both the malicious samples were available on GitHub. Interestingly both repositories belong to the same profile, indicating the possibility that Threat Actor (TA) might be hosting a malware campaign targeting Infosec Community.”

The researchers also noticed that multiple TAs were also discussing these tainted exploits on the cybercrime forum.

The analysis of the malware revealed that it is a .Net binary packed with ConfuserEX, a free, open-source protector for .NET applications. The malicious code doesn’t include the exploits for the vulnerabilities mentioned on the fake PoC, it only prints a fake message showing that it is trying to exploit and executes shellcode.

The malware executes a PowerShell command using cmd.exe to deliver the actual payload which is a Cobalt-Strike Beacon. Then the threat actors could use the beacon to download additional payloads and perform lateral movements.

“Usually, people working in information security or TAs use exploits to check for vulnerabilities. Hence, this malware might only target people from this community. Therefore, it becomes essential for the Infosec Community members to check the credibility of sources before downloading any proof of concept.” concludes the expert that also shared recommendations along with indicators of compromise (IoCs).

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERSVote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, fake PoC)

The post Threat actors target the infoSec community with fake PoC exploits appeared first on Security Affairs.