Security experts are being targeted with fake malware discoveries

Trend Micro spots piece of malware being advertised as PoC fork for a major Windows vulnerability
The malware acts as an infostealer, grabbing vital system information
These types of attacks are often conducted by nation-states

Cybercriminals are targeting security researchers with fake proof-of-concept (PoC) solutions, trying to infect their computers with infostealing malware, experts have warned.

Cybersecurity researchers Trend Micro, who spotted the new campaign in January 2025, noted how the crooks would publish a PoC for a popular, critical-severity vulnerability, to draw the attention of the cybersecurity crowd.

The researchers would then grab the PoC for analysis, and would end up installing a piece of malware, instead.

Stealing vital PC information

In this particular case, the crooks were advertising a fork of a legitimate, existing PoC for LDAPNightmare, a vulnerability discovered earlier in January, and consisting of two flaws, CVE-2024-49112, and CVE-2024-49113.

The former serves as bait here, since it is a 9.8/10 severity flaw, affecting Windows Lightweight Directory Access Protocol (LDAP), and allowing for remote code execution (RCE).

In its writeup, Trend Micro researcher Sarah Pearl Camiling said “both vulnerabilities were deemed as highly significant due to the widespread use of LDAP in Windows environments.” Both flaws were patched in December 2024, through the Patch Tuesday cumulative update.

In the fake PoC, the crooks replaced some of the legitimate files with an executable named “poc.exe”. This would deploy a PowerShell script which would, in turn, deploy another script that steals data from the computer.

Here is what the infostealer goes for:

– PC information
– Process list
– Directory lists (Downloads, Recent, Documents, and Desktop)
– Network IPs
– Network adapters
– Installed updates

This type of attack is nothing new – criminals have regularly been observed applying the same tactics in the past.

Although this was not hinted at in the report, these types of attacks are often conducted by nation-state actors, in an attempt to gather vital intelligence regarding the cybersecurity practices of large tech organizations, government firms, critical infrastructure players, and more.

Via The Register

Source link