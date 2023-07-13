The unceasing work of computer security experts, has done discover them a new one proof of concept (PoC) on GitHub, which hides a backdoor with a “smart” persistence method, since it is a fake PoC, but we will see this shortly, curious how this flaw was discovered a few days after another one .

What does this fake PoC do?

“In this case, the PoC [PoC falso, per la cronaca] is a wolf in sheep’s clothing, harboring malicious intent in the guise of a harmless learning tool“, they have declared Uptycs researchers Nischay Hegde and Siddartha Malladi. “Acting as a downloader, silently downloads and executes a Linux bash script, disguising its operations as a kernel-level process.”

The repository (the fake PoC) masquerades as a normal PoC (CVE-2023-35829), a recently revealed high-severity flaw in the Linux kernel. It has since been removed, but not before being forked 25 times. Another PoC shared by the same account, ChriSanders22 (CVE-2023-20871), a privilege escalation bug affecting VMware Fusion, has been forkned twice.

Uptypcs also identified a second profile GitHub containing a fake PoC CVE-2023-35829. It is still available at the time of writing this article and has been forked at least twenty times. Closer examination of the commit history shows that the changes were pushed by ChriSanders22, suggesting it was forked from the original repository.

The backdoor comes with a variety of features to steal sensitive data from compromised hosts and allow a threat actor to gain remote access by adding their SSH key to the .ssh/authorized_keys file.

“The PoC intends that we run a make command which is an automation tool used to compile and create executables from source code files“explained the researchers. “But inside the Makefile resides a snippet of code that creates and executes the malware. The malware names and executes a file called kworkerwhich adds the path $HOME/.local/kworker in $HOME/.bashrc, thus establishing its persistence.”

The development of the matter comes almost a month after that VulnCheck discovered a number of fake GitHub accounts posing as security researchers to distribute malware under the guise of PoC exploits for popular software such as Discord, Google Chrome, Microsoft Exchange Server, Signal, and WhatsApp.

Users who have downloaded and run PoCs are advised to use unauthorized SSH keys, delete the kworker file, delete the kworker path from the bashrc file, and check /tmp/.iCE-unix.pid for potential threats.

“While it can be difficult to distinguish legitimate PoCs from deceptive ones, adopting secure practices such as testing in isolated environments (for example, virtual machines) can provide a level [maggiore] of protection“, said the researchers.