With bogus Windows Proof-of-Concept (PoC) attacks, a cybercriminal is targeting security researchers. The Cobalt Strike backdoor is infected with these phony exploits.
Threats to the InfoSec community
The attacker behind the assault, according to Cyble experts, is exploiting newly fixed Windows RCE vulnerability.
A threat actor disclosed two proof-of-concept attacks for the Windows vulnerabilities CVE-2022-26809 and CVE-2022-24500 on GitHub a week ago.
These vulnerabilities were put in repositories for a person named ‘rkxxz,’ which have since been deleted.
When a proof-of-concept was released, word travelled quickly on Twitter and other social media platforms, attracting the attention of both threat actors and security researchers.
However, these exploits were shown to be false, and Cobalt Strike beacons were deployed.
Attackers are most likely attempting to acquire access to vulnerability research as well as the network of a cybersecurity firm by targeting the infosec community.
Concerning the nefarious PoC
Researchers looked into the PoC and determined that it was a DotNET programme that seemed to exploit an IP address but really infected users with the backdoor.
The PoC is used to start a PowerShell script that executes a gzip-compressed PowerShell script to inject the beacon in memory, according to a deobfuscated sample.
Notes on the End
Cybersecurity organisations frequently hold sensitive information about their clients, which an adversary may find quite lucrative. The attackers are most likely attempting to acquire access to the victim’s vulnerability research, as well as perhaps gaining access to a cybersecurity firm’s network. Security researchers should be on the lookout for such attacks as a precaution.