A hacker using the name whalersplonk is spreading a fake Proof-of-Concept (PoC) exploit for a recently fixed WinRAR vulnerability on GitHub, attempting to infect those who download it VenomRAT malware.
The fake PoC exploit was identified by researchers from Palo Alto Networks’ Unit 42 team who reported that the user uploaded the malicious code to GitHub on August 21st, 2023, just 4 days after WinRAR publicly announced the issue.
The malicious code is no longer available on GitHub, but this event highlights the risks of sourcing PoCs from GitHub and running them without additional scrutiny to ensure they’re safe.
CVE-2023-40477
The WinRAR issue is being tracked as CVE-2023-40477, and refers to a vulnerability in versions of WinRAR prior to v6.23.
The CVE is being managed by Trend Micro’s Zero Day initiative who discovered the vulnerability and reported it to WinRAR
The vulnerability triggers a buffer overflow when processing recovery volume names in the old RAR 3.0 format. The user must start unpacking a RAR file in the same folder as a REV file with a malformed name to trigger this vulnerability.
Crashing systems
According to a statement by WinRAR on this vulnerability, “the buffer border is overwritten with pointers to objects returned by the C++ new operator. This makes it difficult for an attacker to control the contents of data written beyond the buffer border. It also makes it difficult to implement a remote code execution exploit. While we can’t claim that it is impossible, all we’ve seen so far is a denial-of-service, or in other words, an application crash that doesn’t lead to code execution, overwriting of system files, or other serious security implications.“
VenomRat
The VenomRat malware has been on the scene since June 2020 and is typically deployed via Spam email Phishing campaigns.
As with many Remote Access Trojans (RATs), Venom Rat is sold on dark web market places with a number of options, including bullet-proof hosting (hosted on a web server that will make it almost impossible to be removed by law enforcement), and HVNC (Hidden Virtual Network Computing – a covert way to interact with a remote host without them knowing, that allows for interaction with the host as if the attacker were sat at the victims keyboard).
The malware is written in C#, but uses obfuscated Microsoft Office macro scripts to download malicious files.
When deployed successfully on a victim device, VenomRat uses PowerShell scripts to prepare the compromised environment for activity that includes collecting user credentials, stealing crypto-wallet data, changing firewall settings and editing RDP settings.
Some variants of VenomRat have a built-in AES+RSA encryption tool which is a cryptolocker that blocks access to files, encrypting them and adding the “.Venom” extension. These variants drop a file called ‘HOW-TO-RECOVER-YOUR-FILES.txt’ demanding $999 in ransom (in the form of cryptocurrency) and an address to the attackers’ crypto-wallet.
The GitHub fake PoC creates a batch script on the victim machine that downloads an encoded PowerShell script and executes which in turn downloads the VenomRAT malware and creates persistence by way of a scheduled task to run it every three minutes.
