Cybersecurity researchers and threat actors are targeted by fake proof-of-concept (PoC) exploit CVE-2023-35829 that installs Linux password-stealing malware.
Uptycs analysts discovered the malicious PoC during their routine scans when detection systems reported irregularities such as unexpected network connections, unauthorized system access attempts, and atypical data transfers.
Three repositories were found hosting the malicious fake PoC exploit, two of which were removed from GitHub and the last one is still active.
Uptycs reports that the bad PoC has been widely shared among members of the security research community, so infections may exist on a significant number of computers.
Malicious PoC Details
Fake PoC claims to be an exploit for CVE-2023-35829a high-severity use-after-release flaw affecting the Linux kernel before version 6.3.2.
In reality, however, the PoC is a copy of an older, legitimate exploit for another Linux kernel vulnerability, CVE-2022-34918.
The code takes advantage of namespaces, a Linux feature that partitions kernel resources, to make it look like it’s a root shell, even though its privileges are still limited in the namespace of the user.
This is done to reinforce the illusion that the exploit is genuine and working as intended, giving attackers more time to roam the compromised system freely.
On launch, the PoC also creates a ‘kworker’ file and adds its path to the ‘/etc/bashrc’ file for persistence.
Then it contacts the attacker’s C2 server to download and run a Linux bash script from an external URL.
The downloaded script accesses the ‘/etc/passwd’ file to steal valuable system data, modifies the ‘~/.ssh/authorized_keys’ to grant the attacker unauthorized remote access to the server, and finally uses curl to exfiltrate data via ‘transfer.sh’.
The script steals data that includes the victim’s username, hostname, and home directory contents. However, since the threat now has remote access to the server, it can steal what it wants manually.
The bash script disguises its operations as kernel-level processes to evade detection, since system administrators tend to trust them and generally do not examine such entries.
Don’t trust the exploit code
Uptycs suggests that researchers who have downloaded and used the fake PoC follow these steps:
- Delete all unauthorized ssh keys
- Delete the kworker file
- Remove kworker path from bashrc file
- Check /tmp/.iCE-unix.pid for potential threats
PoCs downloaded from the internet should be tested on sandboxed/isolated environments like virtual machines and, if possible, have their code inspected before running.
Submitting binary files to VirusTotal is also a quick and easy way to identify a malicious file.
The use of fake PoCs to target researchers and threat actors with malware is not new.
Last month, VulnCheck analysts uncovered a campaign where threat actors posed as real researchers from trusted cybersecurity companies to push malware posing as zero-day exploits for Chrome, MS Exchange and Discord.
In October 2022, university researchers published a technical article explaining that up to 10.3% of all PoCs hosted on GitHub could be malware.
North Korea’s Lazarus hackers are also believed to be responsible for a 2021 campaign using social media to target vulnerability researchers with fake PoCs who installed backdoors.