A recent report by cybersecurity firm Uptycs has highlighted the presence of malicious Proof of Concept (PoC) files on popular code-sharing platform GitHub. These PoCs, which are typically used by security researchers to demonstrate vulnerabilities, have been found to contain hidden malware that enables unauthorized access and data transfers.
According to Uptycs, suspicious activity was detected within these malicious PoCs, including unexpected network connections, unusual data transfers, and unauthorized system access attempts. This raised concerns among the cybersecurity community, prompting further investigation into the matter.
Upon closer examination, it was discovered that the malicious PoC files were copies of legitimate exploits for known vulnerabilities in the Linux kernel. The only difference was the inclusion of an additional file called “src/aclocal.m4,” which acted as a downloader for a Linux bash script. This script enabled the malware to persistently operate within a victim’s system.
The persistence mechanism employed by the malware was particularly crafty. The PoC leveraged the “make” command to create a file named “kworker” and added its file path to the “bashrc” file. By doing so, the malware ensured that it would continue to function even after system reboots, making it difficult to detect and eradicate.
In addition to the Linux kernel vulnerability, researchers also discovered a similar profile named ChriSander22 on GitHub circulating a bogus PoC for a vulnerability in VMware Fusion, a popular virtualization software. This PoC, named CVE-2023-20871, contained the same malicious file “aclocal.m4,” triggering the installation of a hidden backdoor.
The presence of these malicious PoCs raises concerns about the safety and integrity of code-sharing platforms like GitHub. As the cybersecurity landscape becomes increasingly complex, it can be challenging for researchers and developers to distinguish between legitimate PoCs and deceptive ones. However, adopting safe practices such as testing in isolated environments or virtual machines can provide an additional layer of protection.
In response to these findings, Uptycs recommends several steps to safeguard against malicious PoCs. These include removing any unauthorized ssh keys, deleting the “kworker” file, removing the “kworker” path from the “bashrc” file, and checking the “/tmp/.iCE-unix.pid” file for potential threats. By following these precautions, security researchers can minimize the risk of falling victim to hidden malware embedded within seemingly harmless PoCs.
The discovery of these malicious PoCs serves as a reminder that even trusted platforms can be infiltrated by cybercriminals. It highlights the importance of adopting proactive security measures and remaining vigilant when engaging with code-sharing platforms. As the cybersecurity landscape continues to evolve, it is imperative that individuals and organizations stay informed about the latest threats and take appropriate steps to protect their systems and data.