Friday, January 10, 2025
HomeCVE/vulnerabilityWeaponized LDAP Exploit Deploys Information-Stealing Malware

Weaponized LDAP Exploit Deploys Information-Stealing Malware

Published on

Cybercriminals are exploiting the recent critical LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113) by distributing fake proof-of-concept exploits for CVE-2024-49113 (dubbed “LDAPNightmare”). 

These malicious PoCs, often disguised as tools to demonstrate the vulnerability’s impact, are designed to trick security researchers and system administrators into downloading and executing them. 

When these malicious files are executed, they instead install malware that steals information on the system of the victim, which gives the attackers access to sensitive data. 

The high-profile nature of the LDAP vulnerabilities is utilized in this attack in order to increase the likelihood that victims will fall for the lure.

 Repository containing “poc.exe”
 Repository containing “poc.exe”

A malicious actor forked a legitimate Python repository and then replaced the original Python source code files with a packed executable (poc.exe) likely created using UPX.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

This substitution is highly suspicious, as executables are not typically found within Python projects, which primarily rely on Python scripts, as this unexpected presence of an executable strongly indicates malicious activity within the repository.

Upon execution, the file drops and executes a PowerShell script in the %Temp% directory and establishes a persistent infection by creating a scheduled task that triggers the execution of an encoded script. 

After decoding, this script fetches another script from Pastebin and the final script acquires the victim’s public IP address and exfiltrates it to an external server via FTP, likely for further exploitation or command-and-control purposes.

creation of the Scheduled Job
creation of the Scheduled Job

The procedure involves collecting sensitive system data, including computer specifications, running processes, directory contents, network configurations (IPs and adapters), and installed updates, which is then compressed using the ZIP algorithm for efficient storage. 

The compressed data is then uploaded to an external FTP server using credentials that have been pre-defined, which may result in sensitive system information being accessed by unauthorized parties.

To mitigate the risk of downloading malware from fake repositories, prioritize downloading code from official and trusted sources. Scrutinize repositories with suspicious content, especially those with few stars, forks, or contributors, despite claims of widespread use. 

Verify the repository owner’s identity whenever possible and conduct thorough reviews of commit history and recent changes for anomalies. Investigate the repository’s discussion forums and issue trackers for potential red flags. 

According to Trend Micro, by implementing these measures, developers can significantly reduce the likelihood of introducing malicious code into their projects.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Latest articles

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the...

New NonEuclid RAT Evades Antivirus and Encrypts Critical Files

A NonEuclid sophisticated C# Remote Access Trojan (RAT) designed for the.NET Framework 4.8 has...

Hackers Targeting Users Who Lodged Complaints On Government portal To Steal Credit Card Data

Fraudsters in the Middle East are exploiting a vulnerability in the government services portal....

Juniper Networks Vulnerability Let Remote Attacker Execute Network Attacks

Juniper Networks has disclosed a significant vulnerability affecting its Junos OS and Junos OS...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the...

New NonEuclid RAT Evades Antivirus and Encrypts Critical Files

A NonEuclid sophisticated C# Remote Access Trojan (RAT) designed for the.NET Framework 4.8 has...

Hackers Targeting Users Who Lodged Complaints On Government portal To Steal Credit Card Data

Fraudsters in the Middle East are exploiting a vulnerability in the government services portal....