Cybercriminals are exploiting critical LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113) by distributing fake proof-of-concept (PoC) exploits for “LDAPNightmare” (CVE-2024-49113).
These fake PoCs, disguised as legitimate tools, trick security researchers and administrators into downloading and running them. Instead of demonstrating the vulnerability, the files install malware that steals sensitive information from the victim’s system.
Attackers leverage the high-profile nature of these LDAP vulnerabilities to increase the chances of their traps succeeding.
A malicious actor forked a legitimate Python repository and replaced its source code with a UPX-packed executable (poc.exe).
The presence of an executable file in a Python project is unusual and suspicious since Python projects typically rely on script files (.py). This anomaly strongly suggests malicious activity in the repository.
When executed, the file drops a PowerShell script in the %Temp% directory and sets up a scheduled task to maintain persistence by repeatedly running an encoded script. After decoding, the script retrieves another from Pastebin.
The final script collects the victim’s public IP address and sends it to an external server via FTP, likely for further exploitation or establishing command-and-control operations.
The process gathers sensitive system data, such as computer specs, running processes, directory contents, network configurations, and installed updates, compresses it into a ZIP file, and uploads it to an external FTP server using pre-defined credentials, risking unauthorized access to the data.
To avoid malware from fake repositories, download code only from official, trusted sources. Check for suspicious content, especially in repositories with few stars, forks, or contributors. Verify the owner’s identity, review commit history for anomalies, and check forums or issue trackers for warnings. Trend Micro advises these steps to minimize the risk of adding malicious code to projects.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment