A malicious campaign has been discovered that targeted security researchers with fake Windows proof-of-concept exploits for RCE vulnerabilities seeking to infect victims’ devices with the Cobal Strike backdoor.
The flaws in question are CVE-2022-24500 and CVE-2022-26809, the remote code execution issues in Windows that Microsoft addressed as part of its April 2022 Patch Tuesday. CVE-2022-24500 is described as an input validation error in Windows SMB that allows a remote hacker to execute arbitrary code on the target system. CVE-2022-26809 is a code injection issue in the Remote Procedure Call Runtime (RPC) library, using which a remote attacker can send a specially crafted RPC call to an RPC host and execute arbitrary code on the victim’s machine.
The malicious campaign was discovered last week, when a threat actor published malware disguised as two PoC exploits for above mentioned vulnerabilities in a fake repository for a user named 'rkxxz' on GitHub. The account has since been removed.
After the exploits were released news caught the attention of security researchers and even malicious actors who discussed it on the cyber crime forums. However, it quickly became clear that the exploits were not what they seemed.
According to a report published by Cyble security researchers, who analyzed the PoC code, the malware is a .NET application pretending to exploit an IP address that actually infected users with the backdoor.
“The malware does not have any exploit code targeting the above vulnerabilities. Instead, it prints a fake message showing that it is trying to exploit and executes shellcode,” the researchers said.
After displaying the fake message, the malware executes the hidden PowerShell command using cmd.exe to deliver the actual payload, which is the Cobalt-Strike Beacon.
While Cobalt Strike is a legitimate pentesting tool, threat actors commonly use it for various malicious activities, such as downloading additional payloads, lateral movement, etc.
“TAs are adopting various techniques to carry out attacks. In this case, we witnessed how the TA used fake POCs to lure the victims into executing the malware. Usually, people working in information security or TAs use exploits to check for vulnerabilities. Hence, this malware might only target people from this community. Therefore, it becomes essential for the Infosec Community members to check the credibility of sources before downloading any proof of concept,” Cyble warned.
