A cybercriminal is targeting security researchers with fake Windows Proof-of-Concept (PoC) exploits. These fake exploits infect targeted devices with the Cobalt Strike backdoor.

InfoSec community under attack 

According to Cyble researchers, the attacker behind the attack is taking advantage of recently patched Windows RCE flaws.
  • A week ago, a threat actor published two PoC exploits on GitHub for the Windows vulnerabilities identified as CVE-2022-26809 and CVE-2022-24500.
  • These exploits were posted in repositories for a user named 'rkxxz', which are now taken down and the account has been removed.
  • When a PoC was published, news spread on Twitter and other platforms, catching the attention of threat actors as well as security researchers.
  • However, these exploits were found to be fake and installed Cobalt Strike beacons.
By attacking the infosec community, attackers are probably trying to gain access to vulnerability research, as well as potentially gain access to the network of a cybersecurity company.

About the malicious PoC

  • Researchers analyzed the PoC and discovered that it was a DotNET application pretending to exploit an IP address, which, in reality, infected targeted users with the backdoor.
  • A deobfuscated sample of the PoC revealed that it is used to launch a PowerShell script that runs a gzip-compressed PowerShell script to inject the beacon in memory.

Concluding notes

Cybersecurity firms often have sensitive information about their clients, which could be very valuable to an attacker. The attackers are probably trying to gain access to vulnerability research being worked on by the victim, as well as potentially gain access to the network of a cybersecurity firm. As a precaution, security researchers should stay alert and be aware of such attacks.
Cyware Publisher

Publisher

Cyware