Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with VenomRAT

7 months ago AndyC

Sep 21, 2023THNVulnerability / Exploit

A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with VenomRAT malware.

Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with VenomRAT

Sep 21, 2023THNVulnerability / Exploit

Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with VenomRAT

A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with VenomRAT malware.

“The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as CVE-2023-25157,” Palo Alto Networks Unit 42 researcher Robert Falcone said.

While bogus PoCs have become a well-documented gambit for targeting the research community, the cybersecurity firm suspected that the threat actors are opportunistically targeting other crooks who may be adopting the latest vulnerabilities into their arsenal.

Cybersecurity

whalersplonk, the GitHub account that hosted the repository, is no longer accessible. The PoC is said to have been committed on August 21, 2023, four days after the vulnerability was publicly announced.

CVE-2023-40477 relates to an improper validation issue in the WinRAR utility that could be exploited to achieve remote code execution (RCE) on Windows systems. It was addressed last month by the maintainers in version WinRAR 6.23, alongside another actively-exploited flaw tracked as CVE-2023-38831.

An analysis of the repository reveals a Python script and a Streamable video demonstrating how to use the exploit. The video attracted 121 views in total.

The Python script, as opposed to running the PoC, reaches out to a remote server (checkblacklistwords[.]eu) to fetch an executable named Windows.Gaming.Preview.exe, which is a variant of Venom RAT. It comes with capabilities to list running processes and receive commands from an actor-controlled server (94.156.253[.]109).

UPCOMING WEBINAR

Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM

Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.

Supercharge Your Skills

A closer examination of the attack infrastructure shows that the threat actor created the checkblacklistwords[.]eu domain at least 10 days prior to the public disclosure of the flaw, and then swiftly seized upon the criticality of the bug to attract potential victims.

“An unknown threat actor attempted to compromise individuals by releasing a fake PoC after the vulnerability’s public announcement, to exploit an RCE vulnerability in a well-known application,” Falcone said.

“This PoC is fake and does not exploit the WinRAR vulnerability, suggesting the actor tried to take advantage of a highly sought after RCE in WinRAR to compromise others.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

1 day ago AndyC
Bogus npm Packages Used to Trick Software Developers into Installing Malware

Bogus npm Packages Used to Trick Software Developers into Installing Malware

1 day ago AndyC
Severe Flaws Disclosed in Brocade SANnav SAN Management Software

Severe Flaws Disclosed in Brocade SANnav SAN Management Software

2 days ago AndyC
10 Critical Endpoint Security Tips You Should Know

10 Critical Endpoint Security Tips You Should Know

2 days ago AndyC
New 'Brokewell' Android Malware Spread Through Fake Browser Updates

New ‘Brokewell’ Android Malware Spread Through Fake Browser Updates

2 days ago AndyC
Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

2 days ago AndyC

You may have missed

Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION

Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION

6 hours ago AndyC
Targeted operation against Ukraine exploited 7-year-old MS Office bug

Targeted operation against Ukraine exploited 7-year-old MS Office bug

6 hours ago AndyC
Weekly Update 397

Weekly Update 397

6 hours ago AndyC
What Would a TikTok Ban Mean?

What Would a TikTok Ban Mean?

6 hours ago AndyC
Hackers may have accessed thousands of accounts on California state welfare platform

Hackers may have accessed thousands of accounts on California state welfare platform

24 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.