Hackers impersonate cybersecurity researchers on Twitter and GitHub to post fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware.

These malicious exploits are promoted by alleged researchers of a fake cybersecurity company named “High Sierra Cyber ​​Security”, who promote GitHub repositories on Twitter, which may target cybersecurity researchers and companies involved in the research. on vulnerabilities.

The repositories look legit, and users maintaining them impersonate real security researchers from Rapid7 and other security companies, even using their likenesses.

The same people maintain accounts on Twitter to help add legitimacy to their research and code repositories like GitHub, as well as attract victims to the social media platform.

This campaign was discovered by VulnCheckwhich reports that it has been ongoing since at least May 2023, promoting alleged exploits for zero-day flaws in popular software like Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange.

Either way, the malware repositories host a Python script (“poc.py”) that acts as a malware downloader for Linux and Windows systems.

The script downloads a ZIP archive from an external URL to the victim’s computer depending on their operating system, with Linux users downloading “cveslinux.zip” and Windows users receiving “cveswindows.zip”.

Malware is saved in Windows %Temp% or Linux /home/ folders/.local/share, extracted and executed.

VulnCheck reports that the Windows binary contained in the ZIP (‘cves_windows.exe’) is marked with more than 60% AV engines on VirusTotal. The Linux binary (‘cves_linux’) is much stealthier, only caught by three scanners.

The type of malware installed is unclear, but both executables install a TOR client, and the Windows version has detections as a password-stealing Trojan.

While the success of this campaign is unclear, VulnCheck notes that threat actors appear persistent and create new accounts and repositories when existing ones are flagged and removed.

Currently, these seven GitHub repositories, which are available at the time of writing, should be avoided:

1. github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
2. github.com/MHadzicHSCS/Chrome-0-day
3. github.com/GSandersonHSCS/discord-0-day-fix
4. github.com/BAdithyaHSCS/Exchange-0-Day
5. github.com/RShahHSCS/Discord-0-Day-Exploit
6. github.com/DLandonHSCS/Discord-RCE
7. github.com/SsankkarHSCS/Chromium-0-Day

Additionally, these Twitter accounts belong to impersonators and are not to be trusted:

• twitter.com/AKuzmanHSCS
• twitter.com/DLandonHSCS
• twitter.com/GSandersonHSCS
• twitter.com/MHadzicHSCS

Security researchers and cybersecurity enthusiasts should be careful when downloading scripts from unknown repositories because spoofing is always possible.

North Korean state-sponsored hacking group Lazarus ran a similar campaign in January 2021when they created fake social media vulnerability research personas to target researchers with malware and zero-days.

Later that year, they targeted researchers with Trojan versions of IDA Pro reverse engineering software to install remote access Trojans.

More recently, scholars have found thousands of repositories on GitHub offering fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them infecting users with malware, malicious PowerShells, obfuscated info-stealing downloaders, Cobalt Strike Dropperand more.

By targeting the vulnerability research and cybersecurity community, threat actors can access vulnerability research that can be used in their own attacks.

Worse still, in many cases the malware could provide initial access to a cybersecurity firm’s network, leading to further data theft and extortion attacks.

Since cybersecurity companies tend to have sensitive customer information such as vulnerability assessments, remote access credentials, or even undisclosed zero-day vulnerabilities, this type of access can be very valuable to a malicious actor.

Therefore, when downloading code from GitHub, it is imperative that all code is reviewed for malicious behavior. In this case, downloading and executing malware is easily visible in PoCs, but this may not be the case in all situations where threat actors can obfuscate malicious code.