Fake WinRAR proof-of-concept exploit drops VenomRAT malware

An imitation proof-of-concept (PoC) exploit targeting a WinRAR RCE vulnerability that was recently patched has been discovered on GitHub, with the intention of spreading the VenomRAT malware to unsuspecting users.

Fake WinRAR proof-of-concept

Palo Alto Networks’ Unit 42 research team identified a fake PoC exploit, reporting that the attacker uploaded the malicious code to GitHub on August 21, 2023.

The imitation PoC utilizes publicly accessible PoC code originally designed for a SQL injection vulnerability in GeoServer.

It targets CVE-2023-40477, an arbitrary code execution flaw in WinRAR versions before 6.23, activated by opening specific RAR files.

Trend Micro’s Zero Day Initiative identified and reported the WinRAR vulnerability on June 8, 2023, but delayed public disclosure until August 17, 2023. WinRAR addressed the issue in version 6.23, released on August 2.

Unit 42 reveals that the counterfeit Python PoC script is, in fact, an adaptation of a readily accessible exploit targeting another vulnerability, CVE-2023-25157, which is a severe SQL injection flaw affecting GeoServer.

When executed, the PoC generates a batch script that downloads an encrypted PowerShell script, which, in turn, fetches the VenomRAT malware and schedules it to run every three minutes on the target device.

VenomRAT infections

After infiltrating a Windows device, VenomRAT activates a keylogger to capture and save all keystrokes in a locally stored text file. Subsequently, it establishes communication with a C2 server to receive one of nine specified commands for execution on the compromised device:

• plug_gin: Activates a registry-stored plugin.
• HVNCStop: Terminates the “cvtres” process.
• loadofflinelog: Transmits offline keylogger data from %APPDATA%.
• save_Plugin: Records a plugin in the registry using a hardware ID.
• runningapp: Displays active processes.
• keylogsetting: Updates the key log file in %APPDATA%.
• init_reg: Removes subkeys in the Software registry under a hardware identifier.
• Po_ng: Measures the time between a PING to the C2 server and receiving this command.
• filterinfo: Lists installed applications and active processes from the registry.

Given the malware’s capacity to install additional payloads and pilfer credentials, the individual who executed this counterfeit PoC should promptly update passwords for all associated websites and accounts, as well as their corresponding environments.

According to the timeline provided by Unit 42, the hacker prepped the attack infrastructure and payload ahead of the public disclosure of the WinRAR vulnerability. Subsequently, they bided their time for the opportune moment to craft a counterfeit PoC.

This suggests that the same attacker might exploit the heightened awareness within the security community regarding newly identified vulnerabilities in the future, disseminating further deceptive PoCs for different flaws.

As the malware can be used to deploy other payloads and steal credentials, anyone who executed this fake PoC should change their passwords for all sites and environments they have accounts.

Indicators of Compromise

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!