Scammers have been found trying to spread the VenomRAT malware by disguising it as a proof-of-concept (PoC) for a newly discovered WinRAR vulnerability.
Cybersecurity researchers at Unit 42 (Palo Alto Networks) recently found a piece of code uploaded to GitHub claiming to be a PoC for CVE-2023-40477. This is a flaw that allows threat actors to execute arbitrary code on target endpoints if victims run a custom RAR file in WinRAR that is older than version 6.23.
This vulnerability was discovered in early June 2023 by Trend Micro’s Zero Day Initiative and addressed in early August with version 6.23 of the popular archiving program.
VenomRAT
However, shortly after the flaw’s public disclosure, a malicious actor uploaded a piece of code to GitHub, claiming it was a PoC for the flaw. The upload even included a readme file and a video demonstration on how to use the tool.
In reality, however, the code just downloads an encrypted PowerShell script which in turn downloads the VenomRAT malware. This malware does a number of things, including logging all keystrokes and displaying installed apps and running processes. The malware can be used to deploy other payloads and steal credentials. BleepingComputer warns and urges anyone who performed this fake PoC to change their passwords for all sites and environments they use.
The Unit 42 researchers also said that the threat actor’s infrastructure was in place long before the payload was deployed on GitHub, implying that they could try the same thing in the future, with a different vulnerability. The user account that uploaded the fake PoC is now inactive and has been added.
GitHub is an extremely popular code repository and as such a prime target for hackers. Typically, they try to trick developers into downloading malware using typosquatting and impersonation.