Linux Hacker Tricks Cybersecurity Researchers with Malicious Proofs of Concept on GitHub

In an unexpected twist, a hacker specialized in Linux has managed to dupe cybersecurity researchers and possibly other threat actors by using fake Proofs of Concept (PoCs), loaded with malware, and posted on the coding platform GitHub.

The exploit was discovered during a routine scan by security analytics firm Uptycs, revealing the shrewd use of legitimate PoCs for known vulnerabilities injected with Linux password-stealing malware.

PoCs are critical tools in the realm of cybersecurity, enabling researchers to understand, test and analyze the potential impacts of publicly disclosed vulnerabilities. Their ubiquity, though, can also give threat actors the opportunity to conduct attacks more efficiently, exploiting these PoCs to identify weak spots in target systems.

In this instance, the Linux-focused hacker cloned real PoCs for known security holes, spiked them with malware, and reuploaded them to GitHub. Alarmingly, by the time Uptycs detected the malicious action, one of the fake PoCs had already been cloned, or "forked," 25 times, and the other had been forked 20 times.

These counterfeit PoCs triggered warning signs during a standard scan, indicating abnormalities such as unauthorized system access attempts, unusual data transfers, and unexpected network connections.

One fake PoC was disguised as a solution for a high-severity (CVSS: 7.0/10) use-after-free vulnerability known as CVE-2023-35829, affecting the Linux kernel before version 6.3.2. The counterfeit PoC contained an extra file: src/aclocal.m4, a hidden Linux bash script downloader not present in the legitimate version. The script was used to harvest machine data, including the hostname, username, and home directory contents.

“Its persistence methodology is quite crafty,” Uptycs said in a security advisory. “Used to build executables from source code files, it leverages the make command to create a kworker file and adds its file path to the bashrc file, thus enabling the malware to continually operate within a victim's system.”

The GitHub user had also posted another malicious PoC, posing as a fix for CVE-2023-20871, a high-severity (CVSS: 7.8/10) privilege escalation vulnerability impacting the VMware Fusion hypervisor. Both fake PoCs were almost identical, apart from their names.

Upon discovering the fraudulent PoCs, the user's GitHub account was deactivated and the malicious content was removed. Uptycs advises people who may have used the fake PoCs to remove unauthorized SSH keys, check /tmp/.iCE-unix.pid for potential threats, delete the kworker file, and remove the kworker path from the bashrc file.

To prevent the spread of such infections, cybersecurity researchers should always use a sandboxed or isolated environment. In the ever-evolving world of cybersecurity, vigilance and cautious practice are as important as the most sophisticated defenses.