In a sign that cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a "crafty" persistence method.
"In this instance, the PoC is a wolf in sheep's clothing, harboring malicious intent under the guise of a harmless learning tool," Uptycs researchers Nischay Hegde and Siddartha Malladi said. "Operating as a downloader, it silently dumps and executes a Linux bash script, all the while disguising its operations as a kernel-level process."
The repository masquerades as a PoC for CVE-2023-35829, a recently disclosed high-severity flaw in the Linux kernel. It has since been taken down, but not before it was forked 25 times. Another PoC shared by the same account, ChriSanders22, for CVE-2023-20871, a privilege escalation bug impacting VMware Fusion, was forked twice.
Uptypcs also identified a second GitHub profile containing a bogus PoC for CVE-2023-35829. It is still available as of writing and has been forked 19 times. A closer examination of the commit history shows that the changes were pushed by ChriSanders22, suggesting it was forked from the original repository.
The backdoor comes with a broad range of capabilities to steal sensitive data from compromised hosts as well as allow a threat actor to gain remote access by adding their SSH key to the .ssh/authorized_keys file.
"The PoC intends for us to run a make command that is an automation tool used to compile and build executables from source code files," the researchers explained. "But within the Makefile resides a code snippet that builds and executes the malware. The malware names and runs a file named kworker, which adds the $HOME/.local/kworker path in $HOME/.bashrc, thereby establishing its persistence."
The development comes nearly a month after VulnCheck discovered a number of fake GitHub accounts posing as security researchers to distribute malware under the guise of PoC exploits for popular software such as Discord, Google Chrome, Microsoft Exchange Server, Signal, and WhatsApp.
Users who have downloaded and executed the PoCs are recommended to unauthorized SSH keys, delete the kworker file, erase the kworker path from the bashrc file, and check /tmp/.iCE-unix.pid for potential threats.
"While it can be challenging to distinguish legitimate PoCs from deceptive ones, adopting safe practices such as testing in isolated environments (e.g., virtual machines) can provide a layer of protection," the researchers said.