A malicious campaign is targeting security researchers by distributing a fake proof-of-concept (PoC) exploit for the LDAPNightmare vulnerabilities (CVE-2024-49112 and CVE-2024-49113). The attack leverages a GitHub repository disguised as a legitimate PoC, which instead delivers an information-stealing payload. This highlights the ongoing risks of downloading unverified exploit code, even from trusted platforms.
Technical Analysis of the Attack
The malicious repository appears to be a fork of a legitimate LDAPNightmare PoC but substitutes the original Python files with a UPX-packed executable (poc.exe). When executed, this binary drops a PowerShell script that establishes persistence via scheduled tasks and collects sensitive system data. The script gathers information such as public IP addresses, running processes, directory contents, and installed updates before exfiltrating the data to an attacker-controlled FTP server.
Security teams can detect this activity by monitoring for PowerShell scripts executing from temporary directories (%Temp%\*.tmp\*.ps1). Trend Vision One customers can use the following hunting query:
eventSubId: 101 AND objectFilePath: /AppData\\Local\\Temp\\\w+\.tmp\\\w+\.tmp\\\w+\.ps1/Indicators of Compromise (IOCs)
The following IOCs have been associated with this campaign:
- File:
poc.exe(UPX-packed executable) - FTP Server:
malicious-server.com(IP redacted) - Pastebin URL: https://pastebin.com/raw/[malicious_script]
Mitigation and Best Practices
To protect against similar attacks, organizations should:
- Verify repositories: Cross-check GitHub forks against original sources and review commit histories for suspicious changes.
- Restrict PowerShell execution: Limit script execution in environments where PoCs are analyzed.
- Monitor FTP traffic: Block unauthorized outbound FTP connections, particularly from research systems.
Conclusion
This campaign underscores the persistent threat of malware masquerading as exploit research. As critical vulnerabilities like LDAPNightmare attract widespread attention, defenders must balance proactive analysis with operational security measures. Organizations should remain vigilant when downloading and testing PoC exploits from untrusted sources.
