malware

Attack on cybersecurity researchers: pseudo-exploit for regreSSHion

Someone is targeting security experts using an archive that allegedly contains an exploit for the regreSSHion vulnerability.

Kaspersky Team
July 5, 2024

An archive containing malicious code is being distributed on the social network X (formerly known as Twitter), under the guise of an exploit for the recently discovered CVE-2024-6387 aka regreSSHion. According to our experts, this may be an attempt to attack cybersecurity specialists. In this post we explain what actually is in the archive and how attackers are trying to lure researchers into a trap.

The legend behind the archive

Presumably, there is a server that has a working exploit for the CVE-2024-6387 vulnerability in OpenSSH. Moreover, this server actively uses this exploit to attack a list of IP addresses. The archive, offered to anyone wishing to investigate this attack, allegedly contains a working exploit, a list of IP addresses and some kind of payload.

Real contents of the malicious archive

In fact, the archive contains some source code, a set of malicious binaries and scripts. The source code looks like a slightly edited version of a non-functional proof-of-concept for this vulnerability, which was already distributed in the public domain.

One of the scripts, written in Python, simulates the exploitation of a vulnerability on servers located at IP addresses from the list. In reality, it launches a malicious file called exploit — a malware that serves to achieve persistence in the system and to retrieve additional payload from a remote server. The malicious code is saved in a file located at the /etc/cron.hourly directory. In order to achieve persistence, it modifies the ls file and writes a copy of itself into it, repeating the execution of malicious code every time it is launched.

How to Stay Safe

Apparently, the authors of the attack are counting on the fact that, when working with obviously malicious code, researchers tend to disable security solutions and focus on analyzing the exchange of data between the malware and a server vulnerable to CVE-2024-6387. Meanwhile, completely different malicious code will be used to compromise the researchers’ computers.

Therefore, we remind all information security experts and other persons who like to analyze suspicious code not to work with malware outside of a specially prepared isolated environment, from which external infrastructure is inaccessible.

Kaspersky products detect elements of this attack with the following verdicts:

UDS:Trojan-Downloader.Shell.FakeChecker.a
UDS:Trojan.Python.FakeChecker.a
HEUR:Trojan.Linux.Agent.gen
Virus.Linux.Lamer.b
HEUR:DoS.Linux.Agent.dt

As for the regreSSHion vulnerability, as we wrote earlier, its practical exploitation is far from being simple.

Why you need to remove the Polyfill.io script from your website

Remove Polyfill.io from your website

The JavaScript CDN service Polyfill.io has started spreading malicious code. Remove the service’s script from your website.

Free Tools

TARGETED SECURITY SOLUTIONS

Attack on cybersecurity researchers: pseudo-exploit for regreSSHion

The legend behind the archive

Real contents of the malicious archive

How to Stay Safe

Prilex blocks NFC transactions

Symptoms indicating one of your devices is being attacked

Remove Polyfill.io from your website

Tips

Setting up Shortcuts and Siri in Kaspersky for iOS

Don’t forget about Recall, because Recall won’t forget about you

Setting up both security and privacy in WhatsApp

The incognito myth: how private browsing really works

Sign up to receive our headlines in your inbox

Home Products

Small Business Products

Medium Business Products

Enterprise Solutions

Securelist

Eugene Personal Blog

Encyclopedia