The developers closed a security gap that was classified as high risk and had already been used in attacks with WinRAR version 6.23 in mid-August. Now IT security researchers have discovered alleged proof-of-concept code that is intended to demonstrate how to exploit the vulnerability. However, it is for a completely different security hole and delivers the VenomRAT malware, which it anchors on the computer.
In their analysis, IT analysts at Palo Alto’s Unit42 write that four days after publicly reporting the vulnerability with the CVE number CVE-2023-40477, malicious actors under the pseudonym whalersplonk posted a fake proof-of-concept script on their Github -Repository set.
Fake proof of concept: IT security researchers probably not in their sights
The IT forensic experts assume that whalersplonk is not specifically targeting IT security researchers. They would have the impression that the attackers were acting opportunistically and wanted to compromise other fraudsters who were exploiting new vulnerabilities in their criminal activities.
Based on the sequence of events, Unit42 researchers believe that the malicious actors created the infrastructure and malicious code independently of the fake PoC. “As soon as the vulnerability became public, actors acted quickly to capitalize on the code smuggling vulnerability in a popular application. WinRAR claims to have over 500 million users worldwide,” they wrote.
Proof of concept converted for other vulnerability
The PoC exploit offered is based on a previously available proof of concept for a security vulnerability in the Geoserver software with the CVE entry CVE-2023-25157. When executed, it does not demonstrate the misuse of the WinRAR vulnerability, but rather starts an infection chain, at the end of which the VenomRAT malware is installed.
While the Zero Day Initiative reported the WinRAR vulnerability on August 17th, the archive with the malware PoC has a timestamp of August 21st. The Github repository has since been removed. The fake PoC was a Python script. It was accompanied by a README.md file that supposedly provided instructions on how to use the script to persuade potential victims to run the code. A video linked there received more than 100 views.
The script itself was facilitated by cybercriminals for comments regarding the CVE-2023-25157 vulnerability. They also removed lines of code that pointed to a network-related vulnerability, such as PROXY or PROXY_ENABLED. They continued to change names in the script from geoserver to exploit. Finally, they added code that downloads and runs a batch script. The changes mean that the exploit code is no longer executed correctly, the IT researchers add. However, the malicious download code works correctly until the script terminates with an exception.
The batch file starts a Powershell script, which in turn downloads another PS script, which in turn loads the executable file %APPDATA%\Drivers\Windows.Gaming.Preview.exe onto the computer and adds it to Windows as a scheduled task. It starts the file every three minutes and thus establishes persistence. This is a variant of VenomRAT. It contacts a command and control server and logs keystrokes.
Anyone who has tried such a proof of concept should therefore check the computer for infections. Contaminated proof-of-concept code seems to be becoming a new trend. Back in June, a campaign became known in which cybercriminals created fake profiles of IT security researchers that pointed to supposed proof-of-concept exploits for various security vulnerabilities on Github. In fact, there is malware behind it that is intended to infect the computers of interested parties.
#Proofofconcept #exploit #WinRAR #vulnerability #brings #VenomRAT #malware