Researchers from threat intelligence firm Cyble uncovered a malware campaign targeting the Information Security community. The experts discovered a post where a researcher shared fake Proof of Concept (PoC) exploit code for an RPC Runtime Library Remote Code Execution flaw (CVE-2022-26809 CVSS 9.8). The malware, disguised as the fake PoC code, was available on GitHub. “Upon further investigation, we discovered that this is malware disguised as an Exploit. Similarly, we found a malicious sample that appears to be a fake PoC of CVE-2022-24500.” reads the post published by Cyble. “Both malicious samples were available on GitHub. Interestingly, both repositories belong to the same profile, indicating the possibility that the Threat Actor (TA) might be hosting a malware campaign targeting Infosec Community.”
It is never recommended to download and run Proof of Concept (PoC) exploits that are already compiled without first reviewing the source code if it is available. This threat actor was relying on the hypothesis that InfoSec professionals would run this exploit without understanding how it works. Unfortunately, they were probably successful in some cases, since so many InfoSec professionals rely on tools and exploits written by others, with not all of them taking the time to try and understand how they work first.