Fake WinRAR PoC spread VenomRAT malware
An unknown threat actor has released a fake proof of concept (PoC) exploit for CVE-2023-4047, a recently fixed remote code execution (RCE) vulnerability in WinRAR, to spread the VenomRAT malware.
The fake WinRAR PoC
On August 17, 2023, Trend Micro’s Zero Day Initiative reported the RCE vulnerability (CVE-2023-4047) that allowed threat actors to execute arbitrary code on an affected WinRAR installation.
The attacker (“whalersplonk”) took the opportunity to release a fake PoC on GitHub only four days after the public announcement of the vulnerability.
The fake PoC is based on publicly available PoC code for a SQL injection vulnerability in GeoServer (CVE-2023-25157).
“The [exploit] poc.py script no longer runs correctly due to the removal of several lines of code. However, the malicious code added to the script does run properly before the script ends in an exception,” noted Robert Falcone, researcher at Palo Alto Networks’ Unit 42.
“Instead of exploiting the WinRAR vulnerability as it claims, the PoC script sets off an infection chain that (after several steps) will install a VenomRAT payload.”
The attacker’s GitHub repository – since taken down – included a README file containing a summary of the CVE-2023-40477 vulnerability, usage instructions for the poc.py script and a demonstration video hosted on Streamable, all of which contributed to its credibility.
Spreading malware through PoCs
This is not the first time malware paddlers have used this technique; threat actors often target researchers looking for public PoCs to help them analyze and understand vulnerabilities.
Even though the number of compromises is unknown, Falcone noted that the instructional video provided by the actor along with the fake exploit script had 121 views. He also has doubts on the attacker’s intentions.
“We do not think the threat actor created this fake PoC script to specifically target researchers. Rather, it is likely the actors are opportunistic and looking to compromise other miscreants trying to adopt new vulnerabilities into their operations,” Falcone said.
“We believe the threat actor had created the infrastructure and payload separately from the fake PoC. Once the vulnerability was publicly released, the actors quickly created the fake PoC to use the severity of an RCE in a popular application like WinRAR to lure in potential victims.”