A Deceptive Attack with a PoC Lure for CVE-2023-40477

Category: Threat Actor Activity | Industry: Global | Source: Unit42

Using the lure of proof of concept (PoC) code, Unit42's threat intelligence analyst, Robert Falcone reports the weaponization of CVE-2023-40477, a remote code execution (RCE) vulnerability in WinRAR to deploy a VenomRAT payload. The vulnerability was publicly disclosed on August 17th, 2023 however, a threat actor using the alias whalersplonk, introduced a fabricated PoC script on GitHub merely four days after the public disclosure. Based on Unit42's timeline, the "threat actor created the checkblacklistwords[.]eu domain used in the infection chain at least 10 days prior to the public release of CVE-2023-40477. This was 14 days before they committed the fake PoC code to GitHub." The timeline of events also indicates "the threat actor had created the infrastructure and payload separately from the fake PoC. Once the vulnerability was publicly released, the actors quickly created the fake PoC to use the severity of an RCE in a popular application like WinRAR to lure in potential victims," Unit42 explains.

Analysis of the infection discovered the attack begins with a ZIP archive containing a misleading README.md file, enticing users with information about the CVE-2023-40477 vulnerability, PoC instructions, and a video guide hosted on streamable[.]com. According to the view count on Streamable over 100 views of the associated video took place and the date when the video was added on August 21st, 2023 also aligns with Unit42's timeline. Although the video is no longer hosted as of August 25th, 2023. Screenshots from the video show the VenomRAT process running in the task manager on the attacker's system during the demonstration.

The attackers modified an open-source PoC script for Geoserver, renaming it poc.py, and made changes to obfuscate its true nature. This modified script does not run the PoC components of the code rather it sets off an infection chain, involving batch scripts and encoded PowerShell scripts, ultimately delivering VenomRAT and establishing communication with a command and control (C2) server. The VenomRAT variant establishes persistence with a scheduled task and is configured with keylogging capabilities, command execution, and communication with the C2 server, and its compilation timestamp suggests it was created using a standard builder.

It's worth noting, that Unit42 found this attempt to distribute a fake PoC wasn't necessarily directed at researchers but seemed more "opportunistic and looking to compromise other miscreants trying to adopt new vulnerabilities into their operations."