In a sign that cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a “crafty” persistence method.
The repository masquerades as a PoC for CVE-2023-35829, a recently disclosed high-severity flaw in the Linux kernel. It has since been taken down, but not before it was forked 25 times. Another PoC shared by the same account, ChriSanders22, for CVE-2023-20871, a privilege escalation bug impacting VMware Fusion, was forked twice.
Uptypcs also identified a second GitHub profile containing a bogus PoC for CVE-2023-35829. It is still available as of writing and has been forked 19 times. A closer examination of the commit history shows that the changes were pushed by ChriSanders22, suggesting it was forked from the original repository.
The backdoor comes with a broad range of capabilities to steal sensitive data from compromised hosts as well as allow a threat actor to gain remote access by adding their SSH key to the .ssh/authorized_keys file.
The development comes nearly a month after VulnCheck discovered a number of fake GitHub accounts posing as security researchers to distribute malware under the guise of PoC exploits for popular software such as Discord, Google Chrome, Microsoft Exchange Server, Signal, and WhatsApp.
Users who have downloaded and executed the PoCs are recommended to unauthorized SSH keys, delete the kworker file, erase the kworker path from the bashrc file, and check /tmp/.iCE-unix.pid for potential threats.
Source: https://thehackernews.com/