Fake PoC with data-stealing malware discovered on GitHub

A fake repository has been discovered on GitHub that disguised itself as a proof of concept (PoC) repository demonstrating a vulnerability, but instead was a hidden data-stealing backdoor, according to research by Uptycs.

This backdoor particularly affected the cybersecurity research community as researchers rely on PoCs to understand potential vulnerabilities, Uptycs said.

"In this instance, the PoC is a wolf in sheep's clothing, harboring malicious intent under the guise of a harmless learning tool," Uptycs said. The backdoor is operating as a downloader. It silently dumps and executes a Linux bash script while disguising its operations as a kernel-level process.

The backdoor has broad data-stealing capabilities and can exfiltrate a wide array of data from the hostname and username to an exhaustive list of home directory contents. "An attacker can gain full access to a target system by adding their ssh key to the authorized_keys file," Uptycs said.

While the fake PoC was removed from GitHub, according to the researchers, it had been widely shared, gaining significant engagement before it was exposed. "For those who have executed it, the likelihood of data compromise is high," Uptycs said. 

The fake PoC

The fake PoC claimed to address a critical vulnerability, the CVE-2023-35829. Researchers at Uptycs discovered several unusual activities that suggested that the PoC might be deceptive.  

"Suspicious activity included unexpected network connections, unusual data transfers, and unauthorized system access attempts," Uptycs said.

Upon investigation, it was found that the PoC is a copy of an old, legitimate exploit for another Linux kernel vulnerability, CVE-2022-34918. The only difference was an additional file "src/aclocal.m4," which acted as a downloader for a Linux bash script. 

The PoC is used to build executables from source code files. It leverages the "make" command to create a "kworker" file and adds its file path to the "bashrc" file, thus enabling the malware to continually operate within a victim's system. The researchers said this persistence methodology is quite crafty. 

Researchers also observed the same profile, ChriSander22 on GitHub, circulating another bogus PoC for VMware Fusion CVE-2023-20871. "Its contents are the same as CVE-2023-35829, with the same aclocal.m4 triggering the installation of the hidden backdoor," Uptycs said. 

Safeguarding against malicious PoCs

It can be challenging to distinguish legitimate PoCs from deceptive ones, adopting safe practices such as testing in isolated environments or virtual machines can provide a layer of protection for security researchers.

In this particular case, Uptycs recommends removing any unauthorized ssh keys, deleting the kworker file, removing the kworker path from the bashrc file, and checking /tmp/.iCE-unix.pid for potential threats. 

"Although not entirely new, this trend of spreading malware through PoCs poses a significant concern, and it’s likely we'll see this tactic continue to evolve," Uptycs said. 

In May, malicious GitHub repositories that claimed to be Signal zero day and WhatsApp zero day were reported to GitHub by VulnCheck. The cybersecurity firm said that recently the individual(s) creating these repositories have put more effort into making them look legitimate by creating a network of accounts.

"The attacker has created half a dozen GitHub accounts and a handful of associated Twitter accounts. The accounts all pretend to be part of a non-existent security company called High Sierra Cyber Security," VulnCheck said in the report.