Trend Micro researchers have uncovered a dangerous fake proof-of-concept (PoC) exploit masquerading as an exploit for CVE-2024-49113, a critical vulnerability in Microsoft’s Lightweight Directory Access Protocol (LDAP) dubbed LDAPNightmare. This vulnerability, patched during Microsoft’s December 2024 Patch Tuesday, allows attackers to execute denial-of-service (DoS) attacks by crashing the LDAP service. The fake PoC, however, serves as a vehicle for distributing information-stealing malware, targeting unsuspecting security researchers and developers.
The malicious repository hosting the fake PoC exploit appears to be a fork of an original, legitimate project. Instead of Python scripts, as expected, the repository contains an executable named “poc.exe,” packed using UPX. Trend Micro’s analysis reveals, “When a user executes the file, a PowerShell script is dropped and executed in the %Temp% folder.”
This script creates a scheduled job to execute an encoded script that downloads additional malware from Pastebin. The malware subsequently exfiltrates a range of sensitive information, including:
- Computer details
- Process lists
- Directory contents (Downloads, Documents, Desktop)
- Network configuration (IPs and adapters)
- Installed updates
The malicious chain unfolds in multiple stages:
- Execution of “poc.exe” triggers a PowerShell script.
- A secondary script is downloaded from Pastebin, which collects the victim’s public IP address.
- Collected data is compressed into a ZIP file and uploaded to an external FTP server using hardcoded credentials.
LDAPNightmare (CVE-2024-49113) gained attention due to its potential to disrupt widely used LDAP services in Windows environments. The attackers’ decision to disguise malware as a PoC exploit for this trending vulnerability underscores their strategy of targeting professionals looking to mitigate risks. “Although the tactic of using PoC lures as vehicle for malware delivery is not new, this attack still poses significant concerns,” Trend Micro notes.
Related Posts:
- Report: 120,000 computers were infected with information-stealing malware
- MaaS in Action: How Lumma Stealer Employs Advanced Delivery Techniques
- Jupyter Infostealer: Malware Masquerade Escalates in Recent Attacks
- Information-Stealing ViperSoftX Malware Targets Cryptocurrencies and Password Managers Across the Globe
- Beware of Search Results: Hackers Using Fake Websites to Spread Malware
