"Cybersecurity Community Warned of Fake PoC Exploits Delivering Malware"

Researchers discovered fake proof-of-concept (PoC) exploits that appear to have been created by threat actors to deliver malware to members of the cybersecurity community. On May 19, researchers revealed that GitHub was hosting malware disguised as PoC exploits for two Windows vulnerabilities Microsoft fixed with its April 2022 Patch Tuesday updates. The fake PoC exploits, which GitHub has since removed, were delivered as executable files that, when run, can open a backdoor to the system. The PoC exploits claimed to target CVE-2022-24500 and CVE-2022-26809, both of which can be used for Remote Code Execution (RCE) on Windows systems. Although there is no indication that the flaws have been used in attacks, some cybersecurity companies warn that they could pose a serious risk. For example, CVE-2022-26809 is suspected to be wormable. The threat intelligence company Cyble analyzed the fake PoC exploits, determining that threat actors were likely using them against members of the infosec community. Cyble also found posts on cybercrime forums in which the exploits were being discussed. The fake PoC exploits, which appeared to have been created by the same threat actor, were .NET binaries packed with an open-source application protector called ConfuserEx. Once executed, they displayed fake messages showing a failed attempt to exploit CVE-2022-24500 or CVE-2022-26809. Following the execution of this routine, the files executed a covert PowerShell command that delivered the Cobalt Strike Beacon payload, which may be used to download further malware and migrate laterally. This article continues to discuss the discovery of fake PoC exploits being used to deliver malware.

Security Week reports "Cybersecurity Community Warned of Fake PoC Exploits Delivering Malware"