In a sign that cybersecurity researchers continue to stay under the radar of bad actors, a proof of concept (PoC) has been uncovered on GitHub, hiding backdoors with “sneaky” persistence methods.
“In this respect, PoC is a wolf in sheep’s clothing, harboring evil intentions under the guise of a harmless learning tool,” Uptycs researchers Nischay Hegde and Siddartha Malladi said. “Operates as a downloader, silently dumping and executing Linux bash scripts, while disguising its operation as a kernel-level process.”
That warehouse masquerading as a PoC for CVE-2023-35829, a high-severity flaw that was recently disclosed in the Linux kernel. Since then it has been taken down, but not before it was forked 25 times. other PoCs shared by the same account, ChrisSanders22, for CVE-2023-20871privilege escalation bug affecting VMware Fusion, forked twice.
Uptypcs also identifies a second GitHub profile contains a fake PoC for CVE-2023-35829. It is still available at the time of writing and has been forked 19 times. Closer inspection of do history indicating that changes were pushed by ChrisSanders22, suggesting it was forked from the original repository.
The backdoor comes with various capabilities to steal sensitive data from compromised hosts as well as allowing threat actors to gain remote access by adding their SSH keys to the .ssh/authorized_keys file.
“PoC intended us to run the make command which is an automation tool used to compile and build executables from source code files,” the researchers explained. “But inside the Makefile there is a code snippet that builds and executes the malware. The name of the malware and running file is named kworkerwhich adds the path $HOME/.local/kworker in $HOME/.bashrc, thus establishing persistence.”
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
The development comes barely a month after VulnCheck uncovered a number of fake GitHub accounts posing as security researchers to distribute malware under the guise of PoC exploits for popular software such as Discord, Google Chrome, Microsoft Exchange Server, Signal, and WhatsApp.
Users who have downloaded and run the PoC are advised to use invalid SSH keys, delete the kworker file, remove the kworker path from the bashrc file, and check /tmp/.iCE-unix.pid for potential threats.
“While it is difficult to distinguish legitimate PoCs from fraudulent ones, adopting secure practices such as testing in isolated environments (e.g., virtual machines) can provide another layer of protection,” the researchers said.