Fake WinRAR PoC Exploit Conceals VenomRAT MalwareFake WinRAR PoC Exploit Conceals VenomRAT Malware
A supposed exploit for a notable RCE vulnerability in the popular Windows file-archiving utility delivers a big sting for unwitting researchers and cybercriminals.
September 20, 2023
In a new twist on the cybercrime penchant for trojanizing things, a threat actor recently pounced upon a "hot" vulnerability disclosure to create a fake proof of concept (PoC) exploit that concealed the VenomRAT malware.
According to research from Palo Alto Networks, the cyberattacker, who goes by "whalersplonk," took advantage of a very real remote code execution (RCE) security bug in WinRAR (CVE-2023-40477) that was made public on Aug. 17. The attacker quickly pulled together a convincing but fake PoC for the bug, which it pushed out to a GitHub repository the same week knowing that the flaw would attract attention — WinRAR, after all, has more than 500 million users worldwide.
The PoC was believable because it was based on a publicly available PoC script for a SQL injection vulnerability in an application called GeoServer, according to the researchers. In reality, once opened, it kicked off an infection chain that ended with the VenomRAT payload being installed on victim computers. VenomRAT appeared for sale in Dark Web forums over the summer, loaded with spyware and persistence capabilities.
While this sort of gambit would at first appear to be part of the tried-and-true tradition of targeting security researchers with espionage tools, Palo Alto researchers think it was actually more of a lark for the perpetrator.
"It is likely [that] the actors are opportunistic and looking to compromise other miscreants trying to adopt new vulnerabilities into their operations," according to the firm's research, issued Sept. 19. "The actors acted quickly to capitalize on the severity of an RCE in a popular application."
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023