Fake WinRAR PoC Exploit Conceals VenomRAT Malware

In a new twist on the cybercrime penchant for trojanizing things, a threat actor recently pounced upon a “hot” vulnerability disclosure to create a fake proof of concept (PoC) exploit that concealed the VenomRAT malware.

According to research from Palo Alto Networks, the cyberattacker, who goes by “whalersplonk,” took advantage of a very real remote code execution (RCE) security bug in WinRAR (CVE-2023-40477) that was made public on Aug. 17. The attacker quickly pulled together a convincing but fake PoC for the bug, which it pushed out to a GitHub repository the same week knowing that the flaw would attract attention — WinRAR, after all, has more than 500 million users worldwide.

The PoC was believable because it was based on a publicly available PoC script for a SQL injection vulnerability in an application called GeoServer, according to the researchers. In reality, once opened, it kicked off an infection chain that ended with the VenomRAT payload being installed on victim computers. VenomRAT appeared for sale in Dark Web forums over the summer, loaded with spyware and persistence capabilities.

While this sort of gambit would at first appear to be part of the tried-and-true tradition of targeting security researchers with espionage tools, Palo Alto researchers think it was actually more of a lark for the perpetrator.

“It is likely [that] the actors are opportunistic and looking to compromise other miscreants trying to adopt new vulnerabilities into their operations,” according to the firm’s research, issued Sept. 19. “The actors acted quickly to capitalize on the severity of an RCE in a popular application.”