A fake repository has been discovered on GitHub that disguised itself as a proof of concept (PoC) repository demonstrating a vulnerability, but instead was a hidden data-stealing backdoor, according to research by Uptycs.\u00a0\n\nThis backdoor particularly affected the cybersecurity research community as researchers rely on PoCs to understand potential vulnerabilities, Uptycs said.\u00a0\n\n\u201cIn this instance, the PoC is a wolf in sheep\u2019s clothing, harboring malicious intent under the guise of a harmless learning tool,\u201d Uptycs said. The backdoor is operating as a downloader. It silently dumps and executes a Linux bash script while disguising its operations as a kernel-level process.\n\nThe backdoor has broad data-stealing capabilities and can exfiltrate a wide array of data from the hostname and username to an exhaustive list of home directory contents. \u201cAn attacker can gain full access to a target system by adding their ssh key to the authorized_keys file,\u201d Uptycs said.\u00a0\n\nWhile the fake PoC was removed from GitHub, according to the researchers, it had been widely shared, gaining significant engagement before it was exposed. \u201cFor those who have executed it, the likelihood of data compromise is high,\u201d Uptycs said. \n\nThe fake PoC\n\nThe fake PoC claimed to address a critical vulnerability, the CVE-2023-35829. Researchers at Uptycs discovered several unusual activities that suggested that the PoC might be deceptive. \n\n\u201cSuspicious activity included unexpected network connections, unusual data transfers, and unauthorized system access attempts,\u201d Uptycs said.\n\nUpon investigation, it was found that the PoC is a copy of an old, legitimate exploit for another Linux kernel vulnerability, CVE-2022-34918. The only difference was an additional file \u201csrc\/aclocal.m4,\u201d which acted as a downloader for a Linux bash script. \n\nThe PoC is used to build executables from source code files. It leverages the \u201cmake\u201d command to create a \u201ckworker\u201d file and adds its file path to the \u201cbashrc\u201d file, thus enabling the malware to continually operate within a victim\u2019s system. The researchers said this persistence methodology is quite crafty. \n\nResearchers also observed the same profile, ChriSander22 on GitHub, circulating another bogus PoC for VMware Fusion CVE-2023-20871. \u201cIts contents are the same as CVE-2023-35829, with the same aclocal.m4 triggering the installation of the hidden backdoor,\u201d Uptycs said. \n\nSafeguarding against malicious PoCs\n\nIt can be challenging to distinguish legitimate PoCs from deceptive ones, adopting safe practices such as testing in isolated environments or virtual machines can provide a layer of protection for security researchers.\n\nIn this particular case, Uptycs recommends removing any unauthorized ssh keys, deleting the kworker file, removing the kworker path from the bashrc file, and checking \/tmp\/.iCE-unix.pid for potential threats. \n\n\u201cAlthough not entirely new, this trend of spreading malware through PoCs poses a significant concern, and it's likely we\u2019ll see this tactic continue to evolve,\u201d Uptycs said. \n\nIn May, malicious GitHub repositories that claimed to be Signal zero day and WhatsApp zero day were reported to GitHub by VulnCheck. The cybersecurity firm said that recently the individual(s) creating these repositories have put more effort into making them look legitimate by creating a network of accounts.\u00a0\n\n\u201cThe attacker has created half a dozen GitHub accounts and a handful of associated Twitter accounts. The accounts all pretend to be part of a non-existent security company called High Sierra Cyber Security,\u201d VulnCheck said in the report.