July 13, 2023THNMoreLinux / Vulnerability

In a sign that cybersecurity researchers remain under the watchful eye of malicious actors, a proof-of-concept (PoC) has been found on GitHub that hides a backdoor with “clever” persistence methods.

“In this case, the PoC is a wolf in sheep’s clothing, masquerading as a harmless learning tool,” said Uptycs researchers Nischay Hegde and Siddartha Malladi. Said. “Acts as a downloader, disguising its actions as a kernel-level process, while silently dumping and executing Linux bash scripts.”

of repository pretend to be a PoC for CVE-2023-35829, a recently disclosed high-severity flaw in the Linux kernel. It has since been deleted, but has since been forked 25 times. Another demonstration experiment Same account, shared by ChrisSanders22. CVE-2023-20871was forked twice with a privilege escalation bug affecting VMware Fusion.

Uptypcs also identified: Second GitHub profile Contains a fake PoC for CVE-2023-35829. As of this writing, it is still available and has been forked 19 times.detailed inspection of commit history indicates that the changes were pushed by ChriSanders22, suggesting that they were forked from the original repository.

Linux kernel vulnerabilities

This backdoor has extensive functionality that not only steals sensitive data from compromised hosts, but also allows attackers to gain remote access by adding SSH keys to the .ssh/authorized_keys file.

“A PoC aims to run the make command, an automated tool used to compile and build executables from source code files,” the researchers explained. “However, within the Makefile there is a code snippet that builds and runs the malware. The malware runs by specifying a file named . WorkerThis will add the $HOME/.local/kworker path to $HOME/.bashrc and establish its persistence.

upcoming webinars

Shielding Against Insider Threats: Mastering SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.

join today

This development comes almost after VulnCheck discovered a number of fake GitHub accounts posing as security researchers distributing malware under the guise of PoC exploits for popular software such as Discord, Google Chrome, Microsoft Exchange Server, Signal and WhatsApp. Done a month later.

For users who downloaded and ran the PoC, disallow SSH keys, remove the kworker file, clear the kworker path from the bashrc file, and remove /tmp/.iCE-unix.pid for potential threats. It is recommended to check.

“Although it may be difficult to distinguish between a legitimate PoC and a deceptive PoC, employing secure methods such as testing in an isolated environment (such as a virtual machine) can provide a layer of protection.” researchers said.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.

cropped-BTA_Logo-B-1-scaled-1
YOUR FUTURE STARTS HERE.

BLUE TRAINING ACADEMY

Register now for our membership to gain access to our elite training program and fast forward your career today!

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

cropped-BTA_Logo-B-1-scaled-1
Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog