A fake proof-of-concept (PoC) exploit for a recently patched WinRAR RCE vulnerability has been uncovered on GitHub designed to infect users with the VenomRAT malware.
Said WinRAR vulnerability (CVE-2023-40477) was addressed by the maintainer in June 2023 and publicly disclosed in August. Just a few days later, a threat actor known online as ‘whalersplonk’ uploaded a fake PoC script to their GitHub repository.
According to Palo Alto Networks researchers who spotted and analyzed the exploit, the code was based on a publicly available PoC script that exploited an SQL injection vulnerability (CVE-2023-25157) in the GeoServer app and ultimately led to the installation of VenomRAT, an information-stealing malware able to steal cryptocurrency wallets and extract data from browsers such as auto-fills, browser cookies, credit card details, account log-ins and passwords. The malware can collect server data from the FileZilla FTP (File Transfer Protocol) application and it has keylogging capabilities as well.
“We do not think the threat actor created this fake PoC script to specifically target researchers. Rather, it is likely the actors are opportunistic and looking to compromise other miscreants trying to adopt new vulnerabilities into their operations,” Palo Alto noted. “This PoC is fake and does not exploit the WinRAR vulnerability, suggesting the actor tried to take advantage of a highly sought-after RCE in WinRAR to compromise others.”
It’s unclear, how many users had downloaded the fake exploit. The researchers said that the instructional video provided by the actor along with the fake exploit script had 121 views.