24 May 2022

Hackers target infosec community with fake PoC exploits delivering Cobalt Strike


Hackers target infosec community with fake PoC exploits delivering Cobalt Strike

A malicious campaign has been discovered that targeted security researchers with fake Windows proof-of-concept exploits for RCE vulnerabilities seeking to infect victims’ devices with the Cobal Strike backdoor.

The flaws in question are CVE-2022-24500 and CVE-2022-26809, the remote code execution issues in Windows that Microsoft addressed as part of its April 2022 Patch Tuesday. CVE-2022-24500 is described as an input validation error in Windows SMB that allows a remote hacker to execute arbitrary code on the target system. CVE-2022-26809 is a code injection issue in the Remote Procedure Call Runtime (RPC) library, using which a remote attacker can send a specially crafted RPC call to an RPC host and execute arbitrary code on the victim’s machine.

The malicious campaign was discovered last week, when a threat actor published malware disguised as two PoC exploits for above mentioned vulnerabilities in a fake repository for a user named 'rkxxz' on GitHub. The account has since been removed.

After the exploits were released news caught the attention of security researchers and even malicious actors who discussed it on the cyber crime forums. However, it quickly became clear that the exploits were not what they seemed.

According to a report published by Cyble security researchers, who analyzed the PoC code, the malware is a .NET application pretending to exploit an IP address that actually infected users with the backdoor.

“The malware does not have any exploit code targeting the above vulnerabilities. Instead, it prints a fake message showing that it is trying to exploit and executes shellcode,” the researchers said.

After displaying the fake message, the malware executes the hidden PowerShell command using cmd.exe to deliver the actual payload, which is the Cobalt-Strike Beacon.

While Cobalt Strike is a legitimate pentesting tool, threat actors commonly use it for various malicious activities, such as downloading additional payloads, lateral movement, etc.

“TAs are adopting various techniques to carry out attacks. In this case, we witnessed how the TA used fake POCs to lure the victims into executing the malware. Usually, people working in information security or TAs use exploits to check for vulnerabilities. Hence, this malware might only target people from this community. Therefore, it becomes essential for the Infosec Community members to check the credibility of sources before downloading any proof of concept,” Cyble warned.

Back to the list

Latest Posts

Researchers uncovered undetectable malware linked to Russia's APT

Researchers uncovered undetectable malware linked to Russia's APT

According to a recent report published by Palo Alto Networks, new piece of malware currently evades 56 antivirus products.  
6 July 2022
New ransomware operation RedAlert puts victims on a "board of shame"

New ransomware operation RedAlert puts victims on a "board of shame"

At this point, only one victim is listed on the RedAlert’s data leak website, indicating that the development is very new.
6 July 2022
Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.
6 July 2022