According to a recent technical paper, hackers are publishing malicious PoC exploits for known vulnerabilities on Github. These PoCs—some of them are even laden with malware—are targeting security professionals.
Diving into details
Researchers at the Leiden Institute of Advanced Computer Science performed an analysis on over 47,300 repositories advertising an exploit for vulnerabilities disclosed between 2017 and 2021.
- Of 150,734 unique IPs analyzed, 2,864 matched blocklist entries, 1,522 were filtered by AV scans as malicious on VirusTotal, and 1,069 were present in the AbuseIPDB database.
- The binary analysis of a set of 6,160 executables revealed a total of 2,164 malicious samples hosted in 1,398 repositories.
- Of the 47,313 repositories tested, 4,893 were deemed malicious and most of them were related to vulnerabilities from 2020.
Moreover, there are at least 60 other examples of malicious repositories that are still live and being taken down by GitHub.
Malware and other harmful payloads
In addition, researchers found additional fake PoCs that contained different malware and harmful scripts.
- A PoC for BlueKeep vulnerability (CVE-2019-0708) was found with a base64-obfuscated Python script that fetches a Houdini RAT-laden VBScript from Pastebin.
- Other fake PoCs were found with info-stealer malware, malicious PowerShell script, malicious one-liner payloads, Cobalt Strike, and even inactive malicious components.
Conclusion
The discovery of fake PoCs, with some loaded with RATs and malware, underlines security concerns around GitHub repositories. Users are urged not to let their guard down while downloading any PoC from untrustworthy sources or unverified sources, and also use a sandbox to test it before using it in a live environment.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/2ff9_shutterstock_2061653135.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/d091_shutterstock_1492617809.jpg)
