Thousands of Fake POC Exploits in Github Repositories Deliver Malware

A technical paper from the researchers at Leiden Institute of Advanced Computer Science details how researchers discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. In an inspection of 47,313 downloaded and checked repositories, fully 10.3% (4893), were found to “have symptoms of malicious intent.” This number excluded fakes and prankware.


Cybersecurity experts form Cybrary and Tanium weighed in on this discovery and what it could mean for security professionals.

Matt Mullins, Senior Security Researcher, Cybrary:

“PoC code is a great vector for infecting and attacking security researchers and employees. APT groups and individuals have figured this out and have begun building fake PoCs, infected/backdoored PoCs, or even "selling" PoCs for BTC without any intention of providing real code. Security researchers, defenders, pentester, and red teamers all "know where the bodies are buried" when it comes to corporations and governmental entities so the attacks against them are definitely things we have seen increased in the news (and will see more of in the future). A great case and point is the leaking of the popular tool Cobalt Strike, which has been repackaged with malware, so that individuals will pull it down and install it. Other known vulnerabilities targeting juicy aspects on windows such as SMB have had their "PoC" code for sale, with the wallet linked to the Github repo, enticing victims to spend to get it.

All of this points to a ground truth for security professionals-read your PoC code, test it in a sandbox or other safe environment, identify what the code is doing, etc. There is a lot of talk about "not needing to know how to code" in our industry but this is a great example of where having that knowledge can literally prevent a breach. Further, if one can read the PoC code and also has the ability to look further, such as reverse the shellcode typically packaged with exploits, one can also identify things that might be obfuscated or missed by someone who understands the code but isn't looking as closely. Always check code, compile it yourself if you can, and know and trust who you get it from!”

James Lively, Endpoint Security Research Specialist, Tanium:

“If the source code is available for an exploit PoC, one should review the source, and then build it from the source. I don't recommend running anything already compiled or built as it can differ from the source.

I highly recommend working out of an airgapped/non-network connected sandbox environment when working with exploits and malware. An airgapped sandbox environment allows one to detonate possible malicious code, test exploits/PoCs, and perform basic static and dynamic analysis without worry that something unexpected spreads throughout their own network or tries to call home -- which could lead to legal troubles.”


###