A fraudulent proof-of-concept (PoC) exploit for the LDAPNightmare vulnerability (CVE-2024-49113) has been circulating on GitHub, secretly deploying infostealer malware that exfiltrates user data to an external FTP server. The malicious repository mimics SafeBreach Labs' legitimate PoC for the same flaw, leveraging its popularity to lure unsuspecting users.
Upon execution, the fake exploit drops a PowerShell script that sets up a scheduled task, which fetches additional scripts to gather sensitive system data, including IP addresses, installed updates, and process lists, and uploads the information in a ZIP file to the attacker's server.
This highlights an ongoing trend where threat actors disguise malware as PoC exploits to exploit security researchers and users. GitHub users are urged to verify repository authenticity, review code before running it, and use tools like VirusTotal to inspect binaries for malware.
Caution and sourcing exploits from trusted cybersecurity firms or reputable researchers are essential to avoid falling victim to such tactics.
Read more...