{"id":1467,"date":"2025-01-10T00:17:40","date_gmt":"2025-01-10T00:17:40","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1467"},"modified":"2025-01-10T00:17:40","modified_gmt":"2025-01-10T00:17:40","slug":"legitimate-poc-exploited-to-spread-information-stealer","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1467","title":{"rendered":"Legitimate PoC exploited to spread information stealer"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A recently copied and abused open source proof of concept (PoC) exploit from a reputable security company, aimed at helping threat researchers, is the latest example of the novel tactics hackers will use to spread malware.<\/p>\n<p>PoCs for known vulnerabilities are created to be shared by students, researchers, and IT pros to improve software and toughen defenses. The danger is that anything posted on the internet can be abused.<\/p>\n<p><a href=\"https:\/\/www.csoonline.com\/article\/3631757\/critical-windows-ldap-flaw-could-lead-to-crashed-servers-rce-attacks.html\">CSOonline reported on the original <\/a>\u2014 and safe \u2014 PoC exploit, LDAPNightmare, created by SafeBreach for a vulnerability in Windows Lightweight Directory Access Protocol (LDAP) on Jan. 3. Today, however, Trend Micro said it has found a malicious version of that PoC sitting on GitHub.<\/p>\n<p>In an interview, Tomer Bar, SafeBreach\u2019s vice-president of security research, stressed that the company\u2019s PoC wasn\u2019t compromised, but was copied and manipulated. The original proof of concept exploit was published on SafeBreach\u2019s official GitHub site.<\/p>\n<p>\u201cWe always publish full open-source\u201d code, he added, \u201cso people can verify that it\u2019s valid and not malicious.\u201d<\/p>\n<p>\u201cThe malicious repository containing the PoC appears to be a fork from the original creator,\u201d <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/a\/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html\">Trend Micro said in its report.<\/a> \u201cIn this case, the original Python files were replaced with the executable\u00a0<em>poc[dot]exe<\/em>\u00a0that was packed using UPX.\u201d<\/p>\n<p>Fortunately, the presence of an executable file in a Python-based project was a clue for experienced infosec pros that something was awry.<\/p>\n<h2 class=\"wp-block-heading\">A \u2018classic Trojan horse\u2019<\/h2>\n<p>The bad repository has since been taken down. But its discovery is another example of why anyone in IT should be careful of downloading code from anywhere, including an open source repository, said David Shipley, CEO of Canadian awareness training firm Beauceron Security.<\/p>\n<p>\u201cTrojan\u2019s gonna Trojan,\u201d he said in an interview, describing the attempt to lure the unprepared as a \u201cclassic social engineering strategy.\u201d<\/p>\n<p>\u201cThis is the classic <a href=\"https:\/\/en.wikipedia.org\/wiki\/Trojan_Horse\">Trojan Horse<\/a>: You go looking for a legitimate, research-based PoC and you get one that looks like the PoC, but you get one with an executable.\u201d<\/p>\n<p>The reason why threat actors are increasingly using this tactic, he said, is because it works. Among the defences: Test the proof of concept in an isolated computer environment.<\/p>\n<p>\u201cAny code from the web should be treated as massively unhygienic until you know it\u2019s safe,\u201d Shipley added.<\/p>\n<h2 class=\"wp-block-heading\">Not a new tactic<\/h2>\n<p>The tactic of using a PoC to hide malware or a backdoor isn\u2019t new. In 2023, for example, <a href=\"https:\/\/www.uptycs.com\/blog\/threat-research-report-team\/new-poc-exploit-backdoor-malware\">Uptycs reported<\/a> on a widely-shared malicious proof of concept on GitHub purporting to address the critical Linux kernel vulnerability CVE-2023-35829. And <a href=\"https:\/\/arxiv.org\/abs\/2210.08374\">according to a 2022 study<\/a> by researchers at Cornell University into GitHub-hosted PoCs, almost 2% of the 47,285 repositories it examined had indicators of malicious intent. \u201cThis figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub,\u201d the study concluded\u00a0 \u2014 and that was over two years ago.<\/p>\n<p>Last fall, <a href=\"https:\/\/www.sonicwall.com\/blog\/hold-verify-execute-rise-of-malicious-pocs-targeting-security-researchers\">SonicWall released a another report on the rise of malicious PoCs<\/a>. \u201cWhile security researchers are often very well equipped to handle and detect this situation,\u201d it concluded, \u201cit is easy to become overconfident, leading to compromise.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Only use trusted repositories<\/h2>\n<p>Cybersecurity professionals, including blue and red teams, should only download content from trusted open source repositories that have a lot of stars, SafeBreach\u2019s Bar said, and never download executables from untrusted sources.<\/p>\n<p>In addition, Trend Micro advised IT workers to:<\/p>\n<p>always download code, libraries, and dependencies from official and trusted repositories;<\/p>\n<p>be cautious of repositories with suspicious content that may seem out of place for the tool or application it is supposedly hosting;<\/p>\n<p>if possible, confirm the identity of the repository owner or organization;\u00a0<\/p>\n<p>review the repository\u2019s commit history and recent changes for anomalies or signs of malicious activity;\u00a0<\/p>\n<p>be cautious of repositories with very few stars, forks, or contributors, especially if they claim to be widely used;\u00a0<\/p>\n<p>look for reviews, issues, or discussions about the repository to identify potential red flags.\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A recently copied and abused open source proof of concept (PoC) exploit from a reputable security company, aimed at helping threat researchers, is the latest example of the novel tactics hackers will use to spread malware. PoCs for known vulnerabilities are created to be shared by students, researchers, and IT pros to improve software and [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":1468,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1467","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1467"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1467"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1467\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1468"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1467"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1467"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1467"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}