Fake WinRAR PoC Exploit Conceals VenomRAT Malware

A supposed exploit for a notable RCE vulnerability in the popular Windows file-archiving utility delivers a big sting for unwitting researchers and cybercriminals.

A trojan horse created out of computer code
Source: The lightwriter via Alamy Stock Photo

In a new twist on the cybercrime penchant for trojanizing things, a threat actor recently pounced upon a "hot" vulnerability disclosure to create a fake proof of concept (PoC) exploit that concealed the VenomRAT malware.

According to research from Palo Alto Networks, the cyberattacker, who goes by "whalersplonk," took advantage of a very real remote code execution (RCE) security bug in WinRAR (CVE-2023-40477) that was made public on Aug. 17. The attacker quickly pulled together a convincing but fake PoC for the bug, which it pushed out to a GitHub repository the same week knowing that the flaw would attract attention — WinRAR, after all, has more than 500 million users worldwide.

The PoC was believable because it was based on a publicly available PoC script for a SQL injection vulnerability in an application called GeoServer, according to the researchers. In reality, once opened, it kicked off an infection chain that ended with the VenomRAT payload being installed on victim computers. VenomRAT appeared for sale in Dark Web forums over the summer, loaded with spyware and persistence capabilities.

While this sort of gambit would at first appear to be part of the tried-and-true tradition of targeting security researchers with espionage tools, Palo Alto researchers think it was actually more of a lark for the perpetrator.

"It is likely [that] the actors are opportunistic and looking to compromise other miscreants trying to adopt new vulnerabilities into their operations," according to the firm's research, issued Sept. 19. "The actors acted quickly to capitalize on the severity of an RCE in a popular application."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights