A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with VenomRAT malware.
“The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as CVE-2023-25157,” Palo Alto Networks Unit 42 researcher Robert Falcone said.
While bogus PoCs have become a well-documented gambit for targeting the research community, the cybersecurity firm suspected that the threat actors are opportunistically targeting other crooks who may be adopting the latest vulnerabilities into their arsenal.
whalersplonk, the GitHub account that hosted the repository, is no longer accessible. The PoC is said to have been committed on August 21, 2023, four days after the vulnerability was publicly announced.
CVE-2023-40477 relates to an improper validation issue in the WinRAR utility that could be exploited to achieve remote code execution (RCE) on Windows systems. It was addressed last month by the maintainers in version WinRAR 6.23, alongside another actively-exploited flaw tracked as CVE-2023-38831.
An analysis of the repository reveals a Python script and a Streamable video demonstrating how to use the exploit. The video attracted 121 views in total.
The Python script, as opposed to running the PoC, reaches out to a remote server (checkblacklistwords[.]eu) to fetch an executable named Windows.Gaming.Preview.exe, which is a variant of Venom RAT. It comes with capabilities to list running processes and receive commands from an actor-controlled server (94.156.253[.]109).
Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM
Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.
A closer examination of the attack infrastructure shows that the threat actor created the checkblacklistwords[.]eu domain at least 10 days prior to the public disclosure of the flaw, and then swiftly seized upon the criticality of the bug to attract potential victims.
“An unknown threat actor attempted to compromise individuals by releasing a fake PoC after the vulnerability’s public announcement, to exploit an RCE vulnerability in a well-known application,” Falcone said.
“This PoC is fake and does not exploit the WinRAR vulnerability, suggesting the actor tried to take advantage of a highly sought after RCE in WinRAR to compromise others.”