Fake WinRAR proof-of-concept exploit drops VenomRAT malware

Fake WinRAR proof-of-concept exploit drops VenomRAT malware

An imitation proof-of-concept (PoC) exploit targeting a WinRAR RCE vulnerability that was recently patched has been discovered on GitHub, with the intention of spreading the VenomRAT malware to unsuspecting users.

Fake WinRAR proof-of-concept

Palo Alto Networks’ Unit 42 research team identified a fake PoC exploit, reporting that the attacker uploaded the malicious code to GitHub on August 21, 2023.

The imitation PoC utilizes publicly accessible PoC code originally designed for a SQL injection vulnerability in GeoServer.

It targets CVE-2023-40477, an arbitrary code execution flaw in WinRAR versions before 6.23, activated by opening specific RAR files.

Trend Micro’s Zero Day Initiative identified and reported the WinRAR vulnerability on June 8, 2023, but delayed public disclosure until August 17, 2023. WinRAR addressed the issue in version 6.23, released on August 2.

Unit 42 reveals that the counterfeit Python PoC script is, in fact, an adaptation of a readily accessible exploit targeting another vulnerability, CVE-2023-25157, which is a severe SQL injection flaw affecting GeoServer.

When executed, the PoC generates a batch script that downloads an encrypted PowerShell script, which, in turn, fetches the VenomRAT malware and schedules it to run every three minutes on the target device.

VenomRAT infections

After infiltrating a Windows device, VenomRAT activates a keylogger to capture and save all keystrokes in a locally stored text file. Subsequently, it establishes communication with a C2 server to receive one of nine specified commands for execution on the compromised device:

  • plug_gin: Activates a registry-stored plugin.
  • HVNCStop: Terminates the “cvtres” process.
  • loadofflinelog: Transmits offline keylogger data from %APPDATA%.
  • save_Plugin: Records a plugin in the registry using a hardware ID.
  • runningapp: Displays active processes.
  • keylogsetting: Updates the key log file in %APPDATA%.
  • init_reg: Removes subkeys in the Software registry under a hardware identifier.
  • Po_ng: Measures the time between a PING to the C2 server and receiving this command.
  • filterinfo: Lists installed applications and active processes from the registry.

Given the malware’s capacity to install additional payloads and pilfer credentials, the individual who executed this counterfeit PoC should promptly update passwords for all associated websites and accounts, as well as their corresponding environments.

According to the timeline provided by Unit 42, the hacker prepped the attack infrastructure and payload ahead of the public disclosure of the WinRAR vulnerability. Subsequently, they bided their time for the opportune moment to craft a counterfeit PoC.

This suggests that the same attacker might exploit the heightened awareness within the security community regarding newly identified vulnerabilities in the future, disseminating further deceptive PoCs for different flaws.

As the malware can be used to deploy other payloads and steal credentials, anyone who executed this fake PoC should change their passwords for all sites and environments they have accounts.

Indicators of Compromise

TypeC2 
61dd71441a2b4955467243e986c38f1ea543bae7b1546f003c4a30074dd6c04eDOMAINbaiwu123.e2.luyouxia.net
cabc45f1dab04be3fc63192d98324d2665599a6d6ea2f0277ecd27a62fb694f3DOMAIN123zhang123.e1.luyouxia.net
79b87d7accc9cbd1414b72ca13c48a385be9cb06c1bb53d845e94107b579bf62DOMAIN7706d61f16.zicp.fun
4b84283c40560991da34ef2b465a4724facd0932acebff60466d8d5ff1916bd5DOMAINs1567749.e1.luyouxia.net
75c12ccacd764101736b213981355b39056227929214c8963e9bf3ea5a60f6efDOMAINbinzai.e3.luyouxia.net
1648bea3c1c3b00e7f9c9bf7f65be833fa7f291f0e05a342382e9e36f0350c60DOMAIN7706d61f16.zicp.fun
b23e4ea87917a517565de8471a101ab55c2a31186c8a23e9e8af71b359d35aa9DOMAINyk.tym.pw
65235e5bd2f9b30e2b272602a83a8f3805cfca50252da8a79e279f232a6d3990DOMAINbj-1.lcf.icu
ecc3971af558300b451a87b51d0324737174ea1993d8aa7424078fb1bd97ffb3DOMAINbj-1.lcf.icu
f9497f07d69b043501cc52bf2db7828abad35a14bd95bb05e6b5ab9e4408de4eIPV4:PORT20.195.166.5:30120
48f61821feeaa45c53daaeb567e142ce9614d131dcf886506a31bf0ba2d75c45IPV4:PORT193.161.193.99:27573
f6ad1568aa318f7d27c41ce47b5b3a1a2aceb0fb470d7528117364b67463501eIPV4:PORT3.127.59.75:11670
f6ad1568aa318f7d27c41ce47b5b3a1a2aceb0fb470d7528117364b67463501eIPV4:PORT3.127.59.75:4824
d0e7f2c67877f06c0e8854b1a37f6f04d181537d77e242f46401415da17f9b03IPV4:PORT91.137.64.248:19102
8ef5c7eaa352e547c2e0de266844122ab471cd2ac73a9388b4f1416b2ac8c840IPV4:PORT196.115.8.54:1288
d845bc06b40c5810390a226e0608090aa7ea67f603af8bbd4f00318102bb8b7dIPV4:PORT109.123.237.143:4449
d845bc06b40c5810390a226e0608090aa7ea67f603af8bbd4f00318102bb8b7dIPV4:PORT109.123.237.143:2247
b9b75fe8ce464a4ae9c0578741718777da09646ea89f42ac3663cbf365681b3dIPV4:PORT213.52.130.95:9200
b9b75fe8ce464a4ae9c0578741718777da09646ea89f42ac3663cbf365681b3dIPV4:PORT213.52.130.95:1337
a9e8b6b187c3bbfccfec6266b95c079bf27752d22bcd04c97df8a62f4a6dcd59IPV4:PORT121.127.233.181:4449
4c69911de167a507a1c6effb9724ab72ca0026d1fdfa9c747f70800abdbcbbe5IPV4:PORT121.127.233.181:4449
9e8f792af1587b867f477863e2c19d7443f2926ba1e933cf073dcdc68a748dadIPV4:PORT146.90.154.118:4449
78a11a10e8d26f98221c9981f1d35b91ce67714a044400fe9933756435b4b690IPV4:PORT43.205.210.118:4449
997a1ea14695bc0275446cd35e362ae48a4f3a6f108d91fea49ba1c83803edd1IPV4:PORT185.106.94.165:4449
997a1ea14695bc0275446cd35e362ae48a4f3a6f108d91fea49ba1c83803edd1IPV4:PORT185.106.94.165:2323
997a1ea14695bc0275446cd35e362ae48a4f3a6f108d91fea49ba1c83803edd1IPV4:PORT91.192.100.61:4449
997a1ea14695bc0275446cd35e362ae48a4f3a6f108d91fea49ba1c83803edd1IPV4:PORT91.192.100.61:2323
b0e1d8b8115f50b5e89ad950bb7f9d6df0c540c3eb8706656de8c3eb8992a690IPV4:PORT20.150.193.28:4449
01e6b908524ccacf46770da7a42cf387308744203cf6a40ad2646f54df4ebc51IPV4:PORT5.230.54.132:4449
e385ca9528fb9e5fd4701e5bdb0e6e4f8052abf34f2b7e8e6a7f7bc0873aab86IPV4:PORT185.221.67.43:4449
cb4ac8a2838e954946f2e4df7fc742ba9e87670623adf628f51b0938616c6cd2IPV4:PORT185.221.67.43:4449
8110ec3aae9084715ddbee84323ac2bb826633e42c8880a97d99234fe1ae2c90IPV4:PORT121.127.233.181:4449
1ae0893f36c3777bdaf9fb593ee2673ed9af8f7eb2e2bf8384590325b8e7b0b6IPV4:PORT193.161.193.99:1194
1ae0893f36c3777bdaf9fb593ee2673ed9af8f7eb2e2bf8384590325b8e7b0b6IPV4:PORT193.161.193.99:27573
782f0ba3ba38e03e50de05fae93adc5e1180f996c77c38ebf0277819cd77a8f2IPV4:PORT93.82.44.26:4040
e738d54c43f09a0d881fa58322871221f95b4b47f49c0c86c4a7c4eb5144507bIPV4:PORT45.123.56.33:4449
19554d3c701bb2d8c3d86adaabc4843b400278cb5d0a013c18ebeb5e20a2e8a0IPV4:PORT147.185.221.16:10735
9930549f9e60b008591223a55db10371087b97dc773313f4adef00dafe3b7b7aIPV4:PORT146.70.50.106:3222
e08a92dbf9154f692f25c2ea5e73ec0b44328c994dfc634b29d6ecdf27a0e6a5IPV4:PORT36.73.32.123:4449
391dfe8dc2ddf702e96ce93e1aa943dab8c675dd5d0c22862d1e542a1395a0b2IPV4:PORT95.214.26.78:5566
16654ceee283193ddd42979063835024dec2ed28975467e09d6d1589812b672bIPV4:PORT91.134.187.20:4449
8a7539fbc3e562b7f66d54280bc606d9ea122fe6313a5f2019fbbff4987fcaecIPV4:PORT209.25.140.211:42417
bc102347cc0d5e5df45ca8e186d1c675a9e7834c7ffcad5b29111c56c6c1c781IPV4:PORT104.220.158.189:7788
bc102347cc0d5e5df45ca8e186d1c675a9e7834c7ffcad5b29111c56c6c1c781IPV4:PORT104.220.158.189:4449
b91b0b2ec47b8ce7c80091c7cb86c60ef7c7589b9e28c0a085f7b2d8321ccc65IPV4:PORT104.220.158.189:7788
5e0e8a79df502b7fa1c66e374ef1770c918fa33d2e14edaa3cfa995c22f6ba67IPV4:PORT193.161.193.99:80
5e0e8a79df502b7fa1c66e374ef1770c918fa33d2e14edaa3cfa995c22f6ba67IPV4:PORT193.161.193.99:4449
5e0e8a79df502b7fa1c66e374ef1770c918fa33d2e14edaa3cfa995c22f6ba67IPV4:PORT193.161.193.99:64084
51ef7e7b05a5cfccdbffcd2801d350f86a6e6b7e1a331f1ee6bdba48dd9a1b6bIPV4:PORT92.158.105.84:4449
544ceadee757881e95dc24304aabd06eec4c3b473516fe697c670ba0a45c9f5eIPV4:PORT206.238.115.213:8888
16467a6c8fd85783e8557dfc5401388c76836326da0228144af0dae5de231486IPV4:PORT85.209.176.47:4449
f6e0f4b3c428409d1d9899460adfdee8b37ce64c07b0326771d2606500bccb15IPV4:PORT168.182.176.153:4449
f6e0f4b3c428409d1d9899460adfdee8b37ce64c07b0326771d2606500bccb15IPV4:PORT168.182.176.153:8080
ab232d7c7ea2f11e780413740b1b8ca071438355cd7ff7e792f7ef7157d8f565IPV4:PORT177.102.219.156:4449
76f5749e5f9e7e0037031c8b2fa2419cd92b867227780c2248964c4d09e468c1IPV4:PORT185.24.9.195:555
cbbe73e6ca5ab7c4eec13be4769b3366be38e8b344947e790a9f9e4cce54061dIPV4:PORT147.185.221.181:2044
eadafecc16b5f5ab72aa6d2740546bf2825f3419eaf1fd199e1f0dd52962314bIPV4:PORT90.105.113.79:4449
ca7ac3c5d690237034de9c180a94ec1e5eff39f44d5af49b94f343efc4250677IPV4:PORT91.134.187.22:4449
6d8f6a15ee5a27f768e8af242d2732ba926151c521aca5d66879305695ba47feIPV4:PORT20.231.13.19:4449
9e53e745ab683bd2ffca7988eb08ebd6005af075b6e62d55188e712a342e73baIPV4:PORT173.212.192.72:3434
9e53e745ab683bd2ffca7988eb08ebd6005af075b6e62d55188e712a342e73baIPV4:PORT173.212.192.72:3435
1dc71b46c509252a5f2cc72ebd40f0d888e3e7ee3196d873f6986364002372f0IPV4:PORT146.70.83.154:4449
9d2a1eb397980b3d978675276cdb817d0f0f35fe102fa19c817ef783a7e4c573IPV4:PORT193.161.193.99:56777
df220d9554ec9ab915e92134c73b9cd98380f154ab706d032cc68267624deaaeIPV4:PORT193.149.185.42:4545
ac9de65cc678831d1f406edbd51715c45152c1cce8e44ba065d3d141bc7b286cIPV4:PORT37.222.178.27:3305
ac9de65cc678831d1f406edbd51715c45152c1cce8e44ba065d3d141bc7b286cIPV4:PORT37.222.178.27:4449
ac9de65cc678831d1f406edbd51715c45152c1cce8e44ba065d3d141bc7b286cIPV4:PORT37.222.178.27:3306
851370682c7794afd13e02841864c86413b2d1dcd733ce65677d959bf3a5d246IPV4:PORT121.127.233.181:4449
c30cdc97978e54aacda0fd11e79598b1989fa374806988fdc38fac7b3a31dcb7IPV4:PORT141.95.71.203:4449
8fd77183576345c65f9d1fc2b9b28ea3362d70ea5ab7754f665ae9788d5eb19dIPV4:PORT80.170.28.14:4449
4a49838629b46b6e66822a9670c9fdee138150ba3a33b247a8592820491a8ff0IPV4:PORT111.242.191.104:4449
7ae2574e19f7133f8fc723343e1e36272dcac6b0993e0d26ad5e4820f37d43feIPV4:PORT95.214.26.61:4488
0b871f5c6c18be1af4fe8aaaf36c5e58fc8c066f7324511af1ed446785758f66IPV4:PORT144.138.71.99:6066
bae96a3d4f4c63e74be0aeb2e79a15062a0c7e08401ed27b5b72258c12923eb7IPV4:PORT144.138.71.99:6066
85e25302598e95579773a8e313d74b420ff49464da8ee6792d17658f5a3af6d7IPV4:PORT209.25.140.211:21055
53d5de9850423b0996ca88db875b92aa302042adeb0ef588dce8557e8645455fIPV4:PORT87.121.221.16:4449
b210f104b7acc95a99e42be6869bb56eb8c9a7e94023aa7f56c57448d7455aeaIPV4:PORT85.237.227.56:4449
52b4ba2897e76a43cce1777d61997be9ef901ffb84e0bbcd5f7dec17d814d91aIPV4:PORT198.44.168.246:4449
b2ece99af7067966cc35a2116b5a1125c0b99a2f7372be6c9e33b0da5f755b27IPV4:PORT223.165.6.30:3333
548547762c1b9db4dc83fe9a15d7be23adfc21b55129759167f2bbf0001c8cc4IPV4:PORT121.127.233.181:4449
3dd9432b10488a43c2b68927b16738d03efe2edd819679354e8c5034a6dd8013IPV4:PORT90.132.25.80:4449
078afa2a896493d987cd4268f77c850c1bb8c08fc197806ef8dbf764477acca7IPV4:PORT46.153.131.183:6666
67efdd604029baf36fb0408ad1c13a655fdcf2a113429d22760cf8bcf3ea6d75IPV4:PORT193.161.193.99:1194
67efdd604029baf36fb0408ad1c13a655fdcf2a113429d22760cf8bcf3ea6d75IPV4:PORT193.161.193.99:4449
d8e5ec45ee3c09bb2f699f4ff25546d240a0fb23e6ded33521c4e9c74fde5d92IPV4:PORT206.189.80.59:22317
697e056359d61d8dfb60dfd8251dbe50f6caa5f05949c54d54bda3ad9bffc561IPV4:PORT179.174.51.167:5052
697e056359d61d8dfb60dfd8251dbe50f6caa5f05949c54d54bda3ad9bffc561IPV4:PORT179.174.51.167:4449
2c548e59eb8e7465af577ec83c8104125e0448e244a976370f1509c2396f0d58IPV4:PORT18.133.225.113:32431
fbfe249bf58de6339a994008be4c8874f7cc396a91589d66ce0166dcd7ec6ad0IPV4:PORT193.161.193.99:33360

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!