ClickCease Researchers discover GitHub repositories with fake PoC exploits

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Researchers discover thousands of GitHub repositories with fake PoC exploits

by

November 11, 2022 - TuxCare PR Team

Researchers from the Leiden Institute of Advanced Computer Science have discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for vulnerabilities and malware.

Various malicious programs and malicious scripts from remote trojans to Cobalt Strike have been discovered by the researchers.

More than 47,300 repositories displaying an exploit for a vulnerability discovered between 2017 and 2021 were analyzed by the researchers using three mechanisms: IP address analysts for comparing the PoC’s publisher IP of the PoC with public blocklists and VT and AbuseIPDB; binary analysis to perform VirusTotal checks of the provided executable files and their hashes; hexadecimal and base64 analysis: decrypt obfuscated files before performing binary and IP checks.

The researchers discovered 150,734 unique IP addresses that were extracted and 2,864 matched blocklist entries, of which 1,522 were detected as malicious in antivirus scans on Virus Total, and 1,069 were present in the AbuseIPDB database.

The binary analysis examined a number of 6,160 executable files and found a total of 2,164 malicious samples hosted in 1,398 repositories. Overall, 4,893 of the 47,313 tested repositories were classified as malicious, with most of them associated with bugs as of 2020.

The report contains a small number of repositories with fake PoCs that provided malware, and the researchers said 60 more are being removed from GitHub.

While investigating the cases, researchers discovered several malicious programs and scripts, ranging from remote access trojans to Cobalt Strike. Cases investigated include a PoC for CVE-2019-0708 known as “BlueKeep,” which contains a base64-disguised Python script that fetches a VBScript from Pastebin. The script is the Houdini RAT, an old JavaScript-based trojan that supports remote command execution via the Windows CMD.

As a security precaution, users are advised not to trust a GitHub repository from an unverified source. Software testers are also advised to carefully check the PoCs they download and perform multiple checks before running them.

The sources for this piece include an article in BleepingComputer.

Watch this news on our Youtube channel: https://www.youtube.com/watch?v=R6OGGQHjMYY

Summary
Researchers discover thousands of GitHub repositories with fake PoC exploits
Article Name
Researchers discover thousands of GitHub repositories with fake PoC exploits
Description
Researchers from the Leiden Institute of Advanced Computer Science have discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for vulnerabilities and malware.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!