A malicious threat group targets the information security (Infosec) community with phoney Windows Proof-of-Concept vulnerability. These fake exploits compromise the targeted devices with a Cobalt Strike beacon backdoor.
The threat actors operating these current attacks are taking advantage of the latest repaired Windows remotely controlled exploit flaws. Moreover, a threat actor published two Proof-of-Concept exploits on GitHub for the Window critical vulnerabilities last week. The exploits were identified as CVE-2022-24500 and CVE-2022-26809.
These flaws were published and loaded in repositories for a user dubbed rkxxz, which are now shut down, and other cybersecurity researchers have deleted the account.
Proof-of-Concept for exploits is the lure used by actors to bait the Infosec community.
The attacks were very threatening across all mediums since they involved a PoC. Once a PoC is published, it will spread immediately on all platforms, such as Twitter, Telegram, and GitHub. Threat actors and the Infosec community will also be notified by these announcements due to the severity it brings.
The latest PoCs found were fake and installed Cobalt Strike backdoors. The malicious group appears to be attempting to obtain access to the exploited research by attacking the infosec community. Moreover, they are trying to gain access to the network of any cybersecurity company that their attack will bait.
Researchers examined the threat actor’s concept discovered circulating and found out that it was a [.]NET app that pretends to be an exploit of an IP address, which in fact, infects targeted users with the loaded backdoor.
In addition, the sample that the researchers stripped with its obfuscation revealed that it was utilised to launch a PowerShell script that operates a gzip-compressed PowerShell. The threat actors used this PowerShell to inject the Cobalt Strike beacon into the memory of the targeted device.
Cybersecurity research companies always have critical information regarding their clients. Therefore, they are also targeted by threat actors to acquire this knowledge and use it for their attacks.
The adversaries might be betting on this information to gain access to the network of a cybersecurity company. Researchers should look out for themselves as they are the ones who are getting picked on by these attackers.
