An individual has been found disseminating a misleading proof-of-concept (PoC) exploit related to a recently addressed WinRAR vulnerability on GitHub. The intent was to compromise those who downloaded it with VenomRAT malware.

The deceptive PoC was identified by researchers from Palo Alto Networks’ Unit 42 team. These experts noted that the malicious code was uploaded to GitHub on August 21, 2023.

Though the malicious effort is currently inactive, it underscores the potential dangers associated with obtaining PoCs from GitHub. It serves as a reminder for users to exercise due diligence before running any code to ensure its safety.

Unfolding the WinRAR Exploit Situation

This misleading PoC pertained to the CVE-2023-40477 vulnerability, which is an arbitrary code execution vulnerability. It becomes active when users access particular RAR files using versions of WinRAR prior to version 6.23.

Trend Micro’s Zero Day Initiative initially detected the vulnerability and informed WinRAR on June 8, 2023. The details of this vulnerability, however, remained undisclosed until August 17, 2023. Subsequently, WinRAR released a corrective version 6.23 on August 2.

Operating under the alias “whalersplonk”, an adversary rapidly (within four days) capitalized on this by distributing malicious software, pretending it was exploit code for the latest WinRAR vulnerability.

To make the package appear genuine, the adversary incorporated a summary in the README documentation and a video on Streamable showcasing the PoC’s usage. Yet, the findings from Unit 42 revealed that the so-called Python PoC script was in reality an adaptation of an existing exploit, CVE-2023-25157. This was a severe SQL injection vulnerability affecting GeoServer.

Upon activation, rather than deploying the exploit, the PoC initiates a batch script. This script fetches an encoded PowerShell script and then initiates it on the host system. This, in turn, fetches the VenomRAT malware, setting up a task to trigger it every three minutes.

Effects of VenomRAT

When VenomRAT activates on a Windows device, it commences a key logger. This logger captures all keystrokes and logs them in a local text document.

Subsequently, the malware connects with a C2 server. From this point, it can receive an array of nine different commands to perform on the compromised device. These include actions such as activating registry-stored plugins, dispatching offline keylogger data, showcasing active processes, updating key log files, measuring server response times, and listing installed applications.

Owing to VenomRAT’s ability to deploy various payloads and pilfer credentials, those who ran the deceptive PoC are advised to revise their passwords across all platforms and systems they use.

The sequence of events as narrated by Unit 42 indicates that the adversary had the attack infrastructure and payload set up well in advance. They merely awaited an opportune moment to introduce a misleading PoC.

There’s an underlying implication here. It suggests that the same individual or group could potentially exploit the security community’s acute awareness of fresh vulnerabilities, pushing other deceptive PoCs linked to diverse flaws in the future.

It’s worth noting that GitHub has historically been a platform where adversaries targeted other malicious actors and security professionals with misleading PoCs. For instance, in 2022, experts identified numerous GitHub repositories promoting spurious PoC exploits for a range of vulnerabilities. These ranged from malware deployments and concealed info-stealer downloaders to malicious PowerShell scripts and Cobalt Strike activations.

Moreover, in June 2023, a group impersonating cybersecurity experts unleashed numerous bogus 0-day exploits. These primarily targeted Linux and Windows systems, introducing them to malware.