Researchers from the Leiden University published a paper detailing how cybercriminals are using fake Proof-of-Concepts (PoCs) to install malware on researchers' systems. The researchers found these fake PoCs on a platform where security professionals would usually expect to find them—the public code repository GitHub.
Use of PoCs
There is a big difference between knowing that a vulnerability exists and having a PoC available. If someone else has already put in the work of figuring out how a new vulnerability can be weaponized, it allows you to put it to the test, which is certainly not done to make the life of cybercriminals easier.
Security professionals are interested in PoCs because it gives them a better understanding about vulnerabilities. PoCs also offer the opportunity to see if certain mitigation techniques or updates solve the problem. They can also be used for red teaming to demonstrate the possible impact of successful attacks.
The researchers investigated PoCs shared on GitHub for known vulnerabilities discovered between 2017 and 2021. They found that 4,893 malicious repositories out of the 47,313 repositories they downloaded and checked qualified as malicious. The qualification was based on calls to known malicious IP addresses, encoded malicious code, or the presence of Trojanized binaries. That is more than 10 percent of the samples the researchers checked.
More reputable sources for PoCs like Exploit-DB try to validate the effectiveness and legitimacy of PoCs. In contrast, public code repositories like GitHub do not have such a exploit vetting process. But if a researcher is looking for a PoC based on a particular vulnerability and they can’t find it on a more reputable source they will have to resort to public platforms.
Since it is an impossible task to do a detailed analysis of many thousands of PoCs, the researchers had to decide on certain indicators to establish whether a PoC was in fact malicious. Not an easy task since the behavior of a PoC to exploit a vulnerability might be detected as malicious by most anti-malware solutions. So, the researchers had to identify properties that indicate some other malicious goals, unrelated to the original PoC goals.
They did this by looking for the following indicators:
- IP addresses: The researchers extracted IP addresses and removed all private IP addreses. The results were compared with VirusTotal, AbuseIPDB, and other publicly available blocklists.
- Binaries, focused on EXE files which can be run on Windows systems, since most of malware attacks are conducted against Windows users. After extracting them, the researchers checked their hashes in VirusTotal and from those detected as malicious, dismissed the ones listed as an exploit of the target vulnerability.
- Obfuscated payloads: By performing hexadecimal and base64 analysis, the researchers were able to extract some extra malicious PoCs.
For a full explanation of their methodology, we encourage you to read their full paper.
Out of 47,313 GitHub repositories with PoCs, the researchers detected 4,893 malicious repositories (i.e., 10.3 percent). Inside some of these malicious PoCs they found instructions to open backdoors or plant malware in the system that is running on it. This means that these PoCs are indeed targeting the security service community, which leads to targeting every customer of such security company using these PoCs from GitHub. The results also show that malicious repositories are on average more similar to each other than non-malicious ones, which may lead to improved methods for further research.