A counterfeit GitHub repository has been spreading the Venom RAT (Remote Access Trojan) to users under the guise of a WinRAR Exploit. This RAT, concealed within a counterfeit Proof-Of-Concept (POC) exploit hosted on GitHub, is reportedly being distributed by a malicious hacker taking advantage of the recent surge in news surrounding a WinRAR vulnerability disclosure.
In a published article by Robert Falcone, a Researcher of paloaltonetworks described that:
“Researchers should be aware of threat actors repurposing older proof of concept (POC) code to quickly craft a fake PoC for a newly released vulnerability.”
In mid-August (September 17th, 2023), a zero-day vulnerability came to light—a remote code execution (RCE) flaw detected within the WinRAR application. This vulnerability was then officially documented and assigned the CVE record of CVE-2023-40477. However, the perpetrator exploited the public disclosure of this incident to create a fake PoC, which is said to contain a malicious code, with different objectives resulting in the dissemination of VenomRAT.
Furthermore, Robert described that:
“Four days after the public reporting of CVE-2023-40477, an actor using an alias of whalersplonk committed a fake PoC script to their GitHub repository. The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer with a CVE-2023-25157 record.”
Upon examining the counterfeit Proof-of-Concept (PoC) scripts, it became evident that a list of malicious links was embedded in the infection chain, facilitating the installation of the VenomRAT payload.
A deeper analysis conducted by PaloAlto revealed that the fraudulent PoC was not designed with the specific intent of targeting researchers. Instead, it appears that the actors behind it were likely pursuing an opportunistic approach to compromise other malicious actors who were attempting to exploit the new vulnerability in their operations. The individual known as ‘Whalersplonk,’ is said to be responsible for releasing the fake proof-of-concept scripts, which did not exploit the intended vulnerability (CVE-2023-4047). Instead, the scripts executed a series of chain commands to deploy the VenomRAT payload. Subsequently, the counterfeit PoC, which had been hosted on GitHub, has been deleted.
Social Engineering Techniques Employed:
In an attempt to further deceive users into believing in the legitimacy of the PoC, the attacker employed a social engineering tactic; within the Zip archives of the genuine WinRAR exploit, a README.md file was placed which is part of the fake Proof-of-Concept (PoC). This README.md file contains a summary of CVE-2023-4077 and instructions for using poc.py, which is the fake Proof-of-Concept file, that actually downloads the Venom Malware.
To obtain the VenomRAT executable, the Python script must establish a connection with a remote server registered as checkblacklistwords[.]eu. Once a victim’s computer becomes infected, an identifiable process runs on the victim’s machine under the name ‘windows.Gaming.Preview,’ closely resembling the VenomRAT payload executable. Subsequently, this process communicates with a C2 server having the IP address 94.156.253[.]109.
Interestingly, it was discovered that the domain hosting VenomRAT was registered just ten days prior to the disclosure of the WinRAR vulnerabilities.
GitHub is known to host numerous Red Team tools and exploits. However, it’s important to recognize that malicious individuals, can create repositories that deviate from their disclosed purpose, and instead have malicious intentions. Therefore, we strongly recommend that users thoroughly review and understand the code before cloning any repository onto their machine. For those not familiar with code, it’s advisable to obtain exploits from a trusted and reputable source.
Please do let us know in the comment section what are your thoughts about this.