Hackers Target Security Researchers with Fake Exploits
Since May 2023, hackers have been actively promoting fake exploits for vulnerabilities in Chrome, Discord, Signal, WhatsApp and Microsoft Exchange online. The attackers pretend to be security researchers on Twitter and on GitHub, publishing fake PoC exploits for various zero-day vulnerabilities in the public domain. In reality, the attackers are distributing malware that infects machines running Windows and Linux.
The experts from VulnCheck were the first to notice this malicious campaign. The fakes are spread on behalf of the defunct security company High Sierra Cyber Security and are actively promoted on Twitter so that researchers and vulnerability analysis firms are interested in them.
The hacker’s repositories appear to be legitimate, and their maintainers pose as real experts from Rapid7 and other well-known companies, even using real photos for this.
Malware Loader
In all the cases studied, the attacker’s repositories contain the poc.py Python script, which acts as a malware loader for Linux and Windows. The script downloads a ZIP archive to the victim’s computer from an external URL. Depending on the operating system, the target receives either cveslinux.zip (Linux) or cveswindows.zip (Windows).
As a result, the malware is stored in the %Temp% folder on Windows or /home/
It is not yet clear what type of malware the attackers are spreading, but both executables install the TOR client, and the Windows version is sometimes found to be a password-stealing Trojan.
Aggressive Campaign
Although the scope and effectiveness of this campaign is unclear, VulnCheck notes that hackers are very aggressive with creating all new accounts and repositories when past ones are discovered and removed.
There are currently seven GitHub repositories known to be owned by these attackers:
• github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
• github.com/MHadzicHSCS/Chrome-0-day
• github.com/GSandersonHSCS/discord-0-day-fix
• github.com/BAdithyaHSCS/Exchange-0-Day
• github.com/RShahHSCS/Discord-0-Day-Exploit
• github.com/DLandonHSCS/Discord-RCE
• github.com/SsankkarHSCS/Chromium-0-Day
In addition, the following Twitter accounts are owned by hackers:
• twitter.com/AKuzmanHSCS
• twitter.com/DLandonHSCS
• twitter.com/GSandersonHSCS
• twitter.com/MHadzicHSCS
It is worth noting that this is not the first case of targeted attacks on information security experts and not the first case when hackers distribute fake exploits (1, 2). By attacking members of the cybersecurity community, in theory, attackers not only gain access to data on vulnerability research (which the victim may have access to), but also increase the chances of infecting the victim’s computer with malware.
Hackers Target Security Researchers with Fake Exploits
Since May 2023, hackers have been actively promoting fake exploits for vulnerabilities in Chrome, Discord, Signal, WhatsApp and Microsoft Exchange online. The attackers pretend to be security researchers on Twitter and on GitHub, publishing fake PoC exploits for various zero-day vulnerabilities in the public domain. In reality, the attackers are distributing malware that infects machines running Windows and Linux.
The experts from VulnCheck were the first to notice this malicious campaign. The fakes are spread on behalf of the defunct security company High Sierra Cyber Security and are actively promoted on Twitter so that researchers and vulnerability analysis firms are interested in them.
The hacker’s repositories appear to be legitimate, and their maintainers pose as real experts from Rapid7 and other well-known companies, even using real photos for this.
Malware Loader
In all the cases studied, the attacker’s repositories contain the poc.py Python script, which acts as a malware loader for Linux and Windows. The script downloads a ZIP archive to the victim’s computer from an external URL. Depending on the operating system, the target receives either cveslinux.zip (Linux) or cveswindows.zip (Windows).
As a result, the malware is stored in the %Temp% folder on Windows or /home/
It is not yet clear what type of malware the attackers are spreading, but both executables install the TOR client, and the Windows version is sometimes found to be a password-stealing Trojan.
Aggressive Campaign
Although the scope and effectiveness of this campaign is unclear, VulnCheck notes that hackers are very aggressive with creating all new accounts and repositories when past ones are discovered and removed.
There are currently seven GitHub repositories known to be owned by these attackers:
• github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
• github.com/MHadzicHSCS/Chrome-0-day
• github.com/GSandersonHSCS/discord-0-day-fix
• github.com/BAdithyaHSCS/Exchange-0-Day
• github.com/RShahHSCS/Discord-0-Day-Exploit
• github.com/DLandonHSCS/Discord-RCE
• github.com/SsankkarHSCS/Chromium-0-Day
In addition, the following Twitter accounts are owned by hackers:
• twitter.com/AKuzmanHSCS
• twitter.com/DLandonHSCS
• twitter.com/GSandersonHSCS
• twitter.com/MHadzicHSCS
It is worth noting that this is not the first case of targeted attacks on information security experts and not the first case when hackers distribute fake exploits (1, 2). By attacking members of the cybersecurity community, in theory, attackers not only gain access to data on vulnerability research (which the victim may have access to), but also increase the chances of infecting the victim’s computer with malware.
Hackers have been targeting security researchers with fake exploits for months now, and the malicious campaign is still ongoing. The attackers are posing as security researchers on Twitter and GitHub, publishing fake PoC exploits for various zero-day vulnerabilities in the public domain. In reality, the attackers are distributing malware that infects machines running Windows and Linux.
The experts from VulnCheck were the first to notice this malicious campaign. The fakes are spread on behalf of the defunct security company High Sierra Cyber Security and are actively promoted on Twitter so that researchers and vulnerability analysis firms are interested in them.
The hacker’s repositories appear to be legitimate, and their maintainers pose as real experts from Rapid7 and other well-known companies, even using real photos for this.
Malware Loader
In all the cases studied, the attacker’s repositories contain the poc.py Python script, which acts as a malware loader for Linux and Windows. The script downloads a ZIP archive to the victim’s computer from an external URL. Depending on the operating system, the target receives either cveslinux.zip (Linux) or cveswindows.zip (Windows).
As a result, the malware is stored in the %Temp% folder on Windows or /home/
It is not yet clear what type of malware the attackers are spreading, but both executables install the TOR client, and the Windows version is sometimes found to be a password-stealing Trojan.
Aggressive Campaign
Although the scope and effectiveness of this campaign is unclear, VulnCheck notes that hackers are very aggressive with creating all new accounts and repositories when past ones are discovered and removed.
There are currently seven GitHub repositories known to be owned by these attackers, as well as four Twitter accounts. It is worth noting that this is not the first case of targeted