Fake WinRAR Proof-of-Concept Exploit Drops VenomRAT Malware

Cyber Security Threat Summary:
The severity level is classified as 'high' because the mentioned CVE pertains to a vulnerability capable of remote code execution. This vulnerability has the potential to allow malicious actors to run arbitrary code on Windows systems where WinRAR is installed, making it a significant and risky issue.

Fake WinRAR Proof-of-Concept Exploit Drops VenomRAT Malware

Threat actors exploited a recently disclosed WinRAR vulnerability (CVE-2023-40477) by repurposing an older proof-of-concept (PoC) code. The Zero Day Initiative initially reported the WinRAR vulnerability to the vendor on June 8, 2023, but publicly disclosed it on August 17, 2023. Within four days of the public disclosure, an actor known as "whalersplonk" uploaded a fake PoC script to their GitHub repository.

This deceptive PoC, falsely claiming to exploit the WinRAR vulnerability, was actually based on publicly available PoC code for a different vulnerability, CVE-2023-25157, affecting GeoServer. When executed, the fake PoC triggered an infection chain that ultimately delivered the VenomRAT malware.

It's important to note that the threat actors likely weren't targeting researchers but rather intended to compromise individuals or entities attempting to exploit newly revealed vulnerabilities. The VenomRAT payload executed keylogging functionality, communicated with a command-and-control server, and executed various commands on the infected device.

Security Officer Comments:
Exploiting a critical vulnerability that lacks a Proof of Concept (PoC) by crafting and sharing a fraudulent PoC post, leading multiple companies to investigate the issue and ultimately fall victim to malware attacks. The timeline of events indicates that the threat actor had set up the infrastructure and payload independently before the public disclosure of the WinRAR vulnerability.

Suggested Correction(s):
This incident highlights the potential risks linked to deceptive Proof of Concepts (PoCs) and underscores the crucial importance of thoroughly reviewing code from sources that are not trusted. It also emphasizes the need to keep applications like these regularly patched and up to date.