In a sign that cybersecurity researchers remain under the watchful eye of malicious actors, a proof-of-concept (PoC) has been found on GitHub that hides a backdoor with “clever” persistence methods.
โIn this case, the PoC is a wolf in sheep’s clothing, masquerading as a harmless learning tool,โ said Uptycs researchers Nischay Hegde and Siddartha Malladi. Said. “Acts as a downloader, disguising its actions as a kernel-level process, while silently dumping and executing Linux bash scripts.”
of repository pretend to be a PoC for CVE-2023-35829, a recently disclosed high-severity flaw in the Linux kernel. It has since been deleted, but has since been forked 25 times. Another demonstration experiment Same account, shared by ChrisSanders22. CVE-2023-20871was forked twice with a privilege escalation bug affecting VMware Fusion.
Uptypcs also identified: Second GitHub profile Contains a fake PoC for CVE-2023-35829. As of this writing, it is still available and has been forked 19 times.detailed inspection of commit history indicates that the changes were pushed by ChriSanders22, suggesting that they were forked from the original repository.
This backdoor has extensive functionality that not only steals sensitive data from compromised hosts, but also allows attackers to gain remote access by adding SSH keys to the .ssh/authorized_keys file.
“A PoC aims to run the make command, an automated tool used to compile and build executables from source code files,” the researchers explained. “However, within the Makefile there is a code snippet that builds and runs the malware. The malware runs by specifying a file named . WorkerThis will add the $HOME/.local/kworker path to $HOME/.bashrc and establish its persistence.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
This development comes almost after VulnCheck discovered a number of fake GitHub accounts posing as security researchers distributing malware under the guise of PoC exploits for popular software such as Discord, Google Chrome, Microsoft Exchange Server, Signal and WhatsApp. Done a month later.
For users who downloaded and ran the PoC, disallow SSH keys, remove the kworker file, clear the kworker path from the bashrc file, and remove /tmp/.iCE-unix.pid for potential threats. It is recommended to check.
“Although it may be difficult to distinguish between a legitimate PoC and a deceptive PoC, employing secure methods such as testing in an isolated environment (such as a virtual machine) can provide a layer of protection.” researchers said.
