Tech Support
Documentation
Login
Contact Us
Fake PoC for Linux Vulnerability Contains Malware
Rohan Timalsina
July 25, 2023 - TuxCare expert team
A fake proof of concept (PoC) exploit targeting cybersecurity researchers has emerged that installs malware designed to steal Linux passwords. Uptycs analysts stumbled upon this malicious PoC during their routine scans when detection systems flagged suspicious activities, including unexpected network connections, unauthorized attempts to access systems, and unusual data transfers.
The malicious fake PoC was initially hosted in three repositories on GitHub, but they have since been removed. Nevertheless, it has been reported that the malicious PoC has been widely circulated within the security researcher community, raising concerns about potential infections on numerous computers.
Fake PoC Details
The fake PoC appears to be an exploit for CVE-2023-35829, a critical use-after-free vulnerability affecting the Linux kernel versions prior to 6.3.2. However, upon closer examination, it becomes evident that this PoC is actually a duplicate of an older, authentic exploit meant for a different Linux kernel flaw, CVE-2022-34918.
The code employs Linux namespaces, which are utilized to segregate kernel resources, creating a facade of a root shell. Despite this appearance, the PoC’s privileges remain confined within the user namespace.
The primary objective of employing such deception is to persuade victims to believe that the exploit is genuine and functional. By doing so, the attackers buy themselves more time to operate unrestrictedly on the compromised system.
Upon activation, the PoC creates a ‘kworker’ file and appends its path to the ‘/etc/bashrc’ file, thereby ensuring persistence even after the system reboots.
Furthermore, the PoC establishes communication with the attacker’s Command and Control (C2) server to download and execute a Linux bash script from an external URL. This downloaded script is designed to access the ‘/etc/passwd’ file to pilfer valuable data from the system. Additionally, it manipulates the ‘~/.ssh/authorized_keys’ file, granting unauthorized remote access to the server for the attacker. Ultimately, the script employs ‘curl’ to exfiltrate data vis ‘transfer.sh’.
The stolen data comprises the victim’s username, hostname, and the contents of their home directory. However, with remote access secured to the server, the attackers can now manually steal any other desired information.
The bash script poses its operations as kernel-level processes to prevent detection, exploiting the fact that system administrators tend to trust these entries and often overlook them.
Conclusion
Uptycs advises users who have downloaded and executed the fake PoC to delete unauthorized SSH keys, remove the ‘kworker’ file and its path from the ‘bashrc’ file, and check the ‘/tmp/.iCE-unix.pid’ file for potential threats.
It is crucial for researchers to be cautious when dealing with PoCs downloaded from the internet. These PoCs should be tested in isolated and secure environments, such as virtual machines, and preferably have their code inspected before execution.
The sources for this article include a story from BleepingComputer.
