This post is also available in: 日本語 (Japanese)

Executive Summary

Researchers should be aware of threat actors repurposing older proof of concept (PoC) code to quickly craft a fake PoC for a newly released vulnerability. On Aug. 17, 2023, the Zero Day Initiative publicly reported a remote code execution (RCE) vulnerability in WinRAR tracked as CVE-2023-40477. They had disclosed it to the vendor on June 8, 2023. Four days after the public reporting of CVE-2023-40477, an actor using an alias of whalersplonk committed a fake PoC script to their GitHub repository.

The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as CVE-2023-25157. We analyzed the fake PoC script and all the links in the infection chain, which ultimately installed a VenomRAT payload.

We do not think the threat actor created this fake PoC script to specifically target researchers. Rather, it is likely the actors are opportunistic and looking to compromise other miscreants trying to adopt new vulnerabilities into their operations.

Based on a timeline of events, we believe the threat actor had created the infrastructure and payload independently from the fake PoC. Once the vulnerability was publicly released, the actors acted quickly to capitalize on the severity of an RCE in a popular application. WinRAR states they have over 500 million users worldwide.

We would like to thank fellow Cyber Threat Alliance (CTA) member Broadcom/Symantec (@threatintel) for sharing the initial sample on this CVE.

Palo Alto Networks customers received protection from this infection chain prior to the fake PoC code’s creation with WildFire and Advanced URL Filtering. The domain checkblacklistwords[.]eu used to host the various files needed for infection and the VenomRAT payload were automatically categorized as malware before the PoC was committed to GitHub.

Related Unit 42 Topics Vulnerability, Remote Access Trojan

Fake It Until You Make It

An unknown actor using the alias whalersplonk released a fake PoC script for an RCE vulnerability in WinRAR tracked by CVE-2023-40477. This PoC is fake, as it does not exploit the intended vulnerability. Rather, it is based on publicly available PoC code for a vulnerability in GeoServer tracked by CVE-2023-25157. Instead of exploiting the WinRAR vulnerability as it claims, the PoC script sets off an infection chain that (after several steps) will install a VenomRAT payload.

The CVE-2023-40477 vulnerability in WinRAR allows an attacker to execute code on a system that opens a malicious file. According to the vendor’s announcement on Aug. 24, 2023, the Zero Day Initiative initially reported the CVE-2023-40477 vulnerability on June 8, 2023, and publicly reported it on Aug. 17, 2023. The timestamps within the ZIP archive suggest that the actor committed the files to GitHub on Aug. 21, 2023, four days after the vulnerability was publicly announced.

According to a Tweet by @AabyssZG seen in Figure 1, this fake PoC archive was hosted at a GitHub repository for a user named whalersplonk. Visiting this repository now results in a 404 error, as the repository was removed.

Image 1 is a screenshot of a Twitter post. The user name is @AabyssZG. Their profile picture is of a short-haired person sitting at a computer and looking behind them. Mixed with Chinese characters are: CVE-2023-40477, Pic, Github, Poc and a final sentence that says “Please do not attempt to run this Poc!” The date is 11:02 PM on August 21, 2023 and the tweet has 13.1k views at the time the screenshot was taken. It has eight reposts, three quotes, 33 like and six bookmarks.
Figure 1. Tweet showing the fake PoC code hosted at a GitHub repository owned by whalersplonk.

The fake PoC is a Python script that was uploaded to VirusTotal in a ZIP archive named CVE-2023-40477-main.zip, specifically poc.py. The code snippet below shows the contents of the CVE-2023-40477-main.zip archive in 7-Zip. We believe the CVE-2023-40477-main.zip file itself was generated by downloading the entire repository by clicking the “Download ZIP” button in GitHub.

Social Engineering

Figure 2 shows that the README.md file within the ZIP archive attempts to further trick the user into compromising their system by providing a summary of the CVE-2023-40477 vulnerability and usage instructions for the poc.py script. The instructions also include a link to a video hosted on streamable[.]com. The video is no longer hosted at the URL within the README.md file, as it was set to expire on Aug. 25, 2023 5:35:00 AM UTC.

Image 2 is a screenshot of a README in Wordpad. CVE-2023-40477. POC WinRAR vulnerable to remote code execution, A widely used Windows-only utility, WinRAR can create an extract file archives in various compression formats. CVE-2023-40477 is the remote code execution vulnerability that could allow remote threat actors to execute arbitrary code on an affected WinRAR installation. Usage. Create “test.rar” and place in the same directory as poc.py. Put any files you want inside test.rar. Execute command: poc.py -c CMD command to execute. Done! Now after someone open any file inside .rar file will execute that command hiddenly. Video: streamable dot com forward slash nx20wk.
Figure 2. README.md within the ZIP archive that provides information about the CVE-2023-40477 vulnerability and usage instructions.

We discovered interesting information regarding the video via the metadata provided by Streamable. Table 1 shows key pieces of information about the video hosted at Streamable, including the date the video was uploaded, which aligns with our timeline. The number of plays suggests that over 100 individual views of the video took place.

Metadata Field Value
date_added 1692656432.078 (Aug. 21, 2023 10:20:32 PM UTC)
original_name 22.08.2023_00.17.56_REC.mp4
duration 20.303278 seconds
plays 121 (as of 2023-08-22 05:38:32)

Table 1. Metadata fields and values for the video.

We also obtained two screenshots associated with the 22.08.2023_00.17.56_REC.mp4 uploaded to Streamable, which were used as thumbnails to display parts of the video. The first image, which Streamable displays before the user clicks the play button on the video, shows the threat actor’s desktop and their task manager.

Figure 3 depicts the task manager showing a process named Windows.Gaming.Preview, which is the same executable name as the VenomRAT payload discussed later in this article. We suspect the threat actor used the same system to test their payload and make this demonstration video.

Image 3 is a screenshot of a desktop. Task manager is open. Windows.Gaming.Preview is the executable name of the VenomRAT payload.
Figure 3. First thumbnail of 22.08.2023_00.17.56_REC.mp4 displayed before the video plays, shows the VenomRAT process running on the actor’s system.

The second screenshot shown in Figure 4, which we believe Streamable captures halfway through the video, displays the actor showing an archive of Burp Suite, a password of 311138, and the PuTTY client. We believe the actor was pretending to show how to craft a malicious archive and use the script to exploit the CVE-2023-40477 vulnerability in WinRAR.

More importantly, the screenshot also depicts the Windows clock showing 8/21/2023 3:17 PM. We can use this information in our timeline to determine where it fits, and to speculate the time zone the actor is in based on other activities.

Image 4 is a screenshot of a desktop. Task manager is open. A trial version of Burp Suite is also open. An open file in Notepad has pass: 311138 as its contents. PuTTY Configuration is open.
Figure 4. Second thumbnail of 22.08.2023_00.17.56_REC.mp4 showing a Burp Suite archive.

We believe the burpsuite_pro_v2023.2.2.zip archive seen in the video above was obtained from a Telegram post, as seen in Figure 5. We did not analyze the Burp Suite application provided by the Telegram post to determine if it was a legitimate version, as available from the PortSwigger website.

Image 5 is a screenshot of a Telegram post. Burpsuite (not official). Burpsuite_pro_v2023.2.2.zip. Pass: 311138. README inside, plz read it before run BS. Happy hacking! Party emoji. Telegram link is t.me/burpsuite/390. At the time of the screenshot, the post had been viewed 33.2 thousand times. It was posted on March 6 at 10:58.
Figure 5. Telegram post showing the burpsuite_pro_v2023.2.2.zip archive used by the actor in the demonstration video.

Fake Proof of Concept

The fake PoC Python script within the ZIP archive was named poc.py, which was based on the open-source CVE-2023-25157 PoC with some changes shown in Figure 6. The changes to the CVE-2023-25157 PoC code included the following:

  • Removal of comments regarding details about the CVE-2023-25157 vulnerability
  • Removal of lines of code that would suggest it’s a network-related vulnerability, such as the setting of variables named PROXY and PROXY_ENABLED
  • Modified strings from geoserver to exploit
  • Inclusion of additional code that downloads and executes a batch script with a comment of “Check dependency”
Image 6 is is two screenshots side by side. On the left is the genuine PoC for CVE-2023-25157. On the right is the fake CVE-2023-40477 PoC. Both are written in Python. The comparison includes code that is removed, changed or added.
Figure 6. Comparison between the CVE-2023-25157 PoC on the left and the fake CVE-2023-40477 PoC on the right.

The poc.py script no longer runs correctly due to the removal of several lines of code. However, the malicious code added to the script does run properly before the script ends in an exception, as seen in Figure 7.

Image 7 is a screenshot of the poc.py script in the Command Prompt. Some of the information has been redacted. This script closes after malicious code is ran.
Figure 7. The poc.py script closes due to an exception, but after malicious code runs.

The code added to the CVE-2023-25157 PoC shown in the green lines of code on the right side of Figure 6 above creates a batch script in %TEMP%/bat.bat. This script will reach out to the following URL and run the response:

  • http://checkblacklistwords[.]eu/check-u/robot?963421355?Ihead=true

The batch script hosted at the URL above runs an encoded PowerShell script that will download another PowerShell script from checkblacklistwords[.]eu/c.txt. The script then saves this file to %TEMP%\c.ps1 and runs it, as seen in the following code block:

Script that downloads and runs the saved PowerShell script.

The downloaded PowerShell script downloads an executable from checkblacklistwords[.]eu/words.txt and saves it to %APPDATA%\Drivers\Windows.Gaming.Preview.exe. The PowerShell script not only runs the executable, but it also creates a scheduled task named Windows.Gaming.Preview that runs the executable every three minutes to persistently run the payload.

The Windows.Gaming.Preview.exe executable is a variant of VenomRAT, which is the same name as the running process seen in the task manager displayed during the video in the README.md file shown in Figure 3 above. This suggests that the threat actor may have been running the VenomRAT payload on their system when they made the video.

This particular variant of VenomRAT has the following configuration:

The configuration field Paste_bin has a value of http://checkblacklistwords[.]eu/list.txt, which the executable will communicate with to obtain the command and control (C2) location. This URL suggests the C2 is at the following IP address:

  • 94.156.253[.]109:4449

This particular VenomRAT client starts a key logger functionality that logs keystrokes to %APPDATA%\MyData\DataLogs_keylog_offline.txt. The client then begins communicating with its C2 server and will process the server's response for the commands shown in Table 2.

Command Description
plu_gin Invokes a plugin by name that is saved to a key in the registry via the save_Plugin command
HVNCStop Gets a process by name cvtres and kills it.
loadofflinelog Uploads the offline key logger file from %APPDATA%\MyData\DataLogs_keylog_offline.txt
save_Plugin Saves a plugin to the registry for loading via the plu_gin command. Plugins saved to a specified subkey in Software\\<hardware id>
runningapp Gets the running processes
keylogsetting Provides a new key log configuration file that will save to %APPDATA%\MyData\DataLogs.conf
init_reg Deletes subkeys in Software\\<hardware id>
Po_ng Sends the interval between the last PING message sent to the C2 server and the receipt of the Po_ng command
filterinfo Gets installed applications list from the registry (SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall) and the running processes.

Table 2. Commands and their description for the VenomRAT variant.

According to the VenomRAT sample’s portable executable (PE) header, the executable was compiled on Feb. 8, 2023, at 22:10:28 UTC. We found over 700 VenomRAT samples that had this same compilation time. This suggests that this particular sample was likely created with a standard VenomRAT builder that used a base executable and modified it with updated configuration settings. We have made the full list of SHAs and IoCs available on GitHub.

Timeline of Events

Unit 42 researchers built a timeline of events surrounding this incident seen in Figure 8 using the timestamps previously mentioned above as well as those seen within our internal products. These timestamps are those specifically associated with the following:

  • The public release of the CVE-2023-40477 vulnerability
  • The threat actor’s activities, including the setup of infrastructure and the deployment of the fake PoC
  • Palo Alto Networks product coverage
Image 8 is a timeline of events associated with the fake PoC for CVE-2023-40477. It starts on July 16, 2023 with the last modified field HTTP response to checkblacklistwords dot eu. It ends with WinRAR announcing the vulnerability as part of their release notes on August 27, 2023.
Figure 8. Timeline of events associated with the fake PoC for the CVE-2023-40477 vulnerability.

The timeline shows that the threat actor created the checkblacklistwords[.]eu domain used in the infection chain at least 10 days prior to the public release of CVE-2023-40477. This was 14 days before they committed the fake PoC code to GitHub. However, the HTTP response to the URL hxxp://checkblacklistwords[.]eu/ has a Last-Modified field that is set to Sun, 16 Jul 2023 18:43:54 GMT, which suggests that the actor could have initially set up the server over a month before the public release of the vulnerability.

According to Palo Alto Networks product coverage, both WildFire and Advanced URL Filtering processed and provided malware verdicts to the following:

  • VenomRAT payload
  • checkblacklistwords[.]eu domain
  • Two of the URLs seen in the infection chain

Advanced URL Filtering automatically processed and provided a malicious verdict to the remaining URL seen in the infection chain a day after the actor released the fake PoC.

Based on this timeline, we believe the threat actor had created the infrastructure and payload separately from the fake PoC. Once the vulnerability was publicly released, the actors quickly created the fake PoC to use the severity of an RCE in a popular application like WinRAR to lure in potential victims.

Conclusion

An unknown threat actor attempted to compromise individuals by releasing a fake PoC after the vulnerability’s public announcement, to exploit an RCE vulnerability in a well-known application. This PoC is fake and does not exploit the WinRAR vulnerability, suggesting the actor tried to take advantage of a highly sought after RCE in WinRAR to compromise others. The fake PoC is based on publicly available code for a vulnerability in GeoServer that sets off an infection chain that installs VenomRAT.

While we cannot provide accurate figures on the impact or number of compromises, we saw that the instructional video provided by the actor along with the fake exploit script had 121 views.

Palo Alto Networks customers received protection from this fake PoC as the checkblacklistwords[.]eu domain and VenomRAT sample had malicious verdicts prior to the creation of the fake exploit script.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Palo Alto Networks would like to thank fellow Cyber Threat Alliance (CTA) member Broadcom/Symantec (@threatintel) for sharing the initial sample on this CVE. In addition, we have shared our findings, including file samples and indicators of compromise, with our fellow CTA members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

A full list of IoCs is available on our GitHub.

Indicator Type Description
7fc8d002b89fcfeb1c1e6b0ca710d7603e7152f693a14d8c0b7514d911d04234 File CVE-2023-40477-main.zip 
ecf96e8a52d0b7a9ac33a37ac8b2779f4c52a3d7e0cf8da09d562ba0de6b30ff File poc.py
c2a2678f6bb0ff5805f0c3d95514ac6eeaeacd8a4b62bcc32a716639f7e62cc4 File bat.bat
b99161d933f023795afd287915c50a92df244e5041715c3381733e30b666fd3b File c.ps1
b77e4af833185c72590d344fd8f555b95de97ae7ca5c6ff5109a2d204a0d2b8e File Windows.Gaming.Preview.exe - VenomRAT
94.156.253[.]109 IPv4 VenomRAT C2
checkblacklistwords[.]eu Domain Hosted files in infection chain
http://checkblacklistwords[.]eu/check-u/robot?963421355?Ihead=true URL Hosted bat.bat
http://checkblacklistwords[.]eu/c.txt URL Hosted c.ps1
http://checkblacklistwords[.]eu/words.txt URL Hosted Windows.Gaming.Preview.exe
Enlarged Image