Fire on friendly: pentesters became a victim of their own tool
The PoC exploit checks not only vulnerabilities, but also the “immunity” of the computer.
Analysts Uptycs discovered malicious PoC (Proof-of-Concept) during their normal checks, when detection systems flag violations such as unexpected network connections, unauthorized system access attempts, and atypical data transfers.
3 repositories were discovered hosting a malicious fake PoC exploit, 2 of which have been removed from GitHub and 1 remaining is still running.
Malicious GitHub repository distributing stealer
The malicious PoC code has been found to be widespread among members of the security research community, so infections can exist on a significant number of computers.
Information about the malicious PoC
The PoC is described as an exploit for a exploit after release vulnerability (Use-After-Free, UAF) CVE-2023-35829 (CVSS: 7.0) affecting the Linux kernel up to version 6.3.2. However, the PoC is actually a copy of an old real exploit for another Linux kernel vulnerability, CVE-2022-34918 (CVSS:7.8).
Code Comparison of Two PoC
The code uses namespaces, a Linux feature that separates kernel resources to give the impression that it is a root shell, although its privileges are still limited in the user’s namespace.
This creates the illusion that the exploit is genuine and working properly, giving attackers more time to roam freely around the compromised system.
Part of the code to create a fake shell
The PoC is then stored on the system and contacts the attacker’s C2 server to download and execute bash-linux script from external url. The downloaded script steals valuable data, including passwords, username, hostname, and the contents of the victim’s home directory. The script then provides the hacker with unauthorized remote access to the server and exfilters the stolen data.
The bash script disguises its operations as kernel-level processes to avoid detection, as system administrators tend to trust them and usually do not check these entries.
PoCs downloaded from the Internet should be tested in isolated environments such as virtual machines and, if possible, their code checked before execution. Submitting binary files to VirusTotal is also a quick and easy way to identify a malicious file.