Security Researchers Hit with Cobalt Strike Via Fake Windows POC Exploits

Antivirus Free Download For Windows 8

Cybercriminals used fake Windows Proof-of-Concept (PoC) exploits to infect security researchers with the Cobalt Strike backdoor. In this newly discovered series of attacks, the perpetrators leveraged recently patched Windows remote code execution flaws, as follows:

  • CVE-2022-24500– Windows SMB Remote Code Execution Vulnerability; to exploit this vulnerability, the victim would need to retrieve data as part of an OS API call from a malicious SMB server
  • CVE-2022-26809– Remote Procedure Call Runtime Remote Code Execution Vulnerability; to exploit this flaw, attackers would need to craft a special RPC call and send it to an RPC host. This would help the attacker achieve server-side remote code execution with RPC service permissions

Infosec community members often analyze Microsoft’s fixes for known vulnerabilities and release PoC exploits on relevant platforms, such as GitHub. Security researchers often rely on these PoC exploits to develop defense mechanisms and urge sysadmins to patch vulnerable systems.

A threat actor published two PoC exploits on GitHub last week for the vulnerabilities above (CVE-2022-24500 and CVE-2022-26809). The perpetrator published the fake PoC exploits in repositories for a user named ‘rkxxz,’ as Bleeping Computer reported. GitHub removed the account and has taken down the exploits.

The fake PoCs garnered significant traction, with users quickly spreading the word about them on social media platforms (Twitter, Reddit) and even threat actors mentioning them on hacking forums.

However, it didn’t take long for security researchers to figure out their malicious nature. As it turns out, the proof-of-concept exploits were used to drop Cobalt Strike beacons on vulnerable devices. Cybersecurity expert reports have shown that CVE-2022-24500 PoC was a .NET application mimicking an IP address exploit that would open a backdoor on compromised systems.

Although Cobalt Strike is a legitimate pentesting utility, threat actors often use it to breach vulnerable systems and use lateral movement techniques to spread further on the organization’s network.