BleepingComputer reports that information-stealing malware has been distributed by threat actors through a malicious GitHub repository with a fraudulent proof-of-concept exploit for the recently patched Windows Lightweight Directory Access Protocol denial-of-service vulnerability dubbed LDAPNightmare and tracked as CVE-2024-49113.
Executing the bogus exploit — which is based on the legitimate PoC created by SafeBreach Labs but contains the UPX-packed poc.exe file — launches a PowerShell script in the targeted system's %Temp% folder that establishes a script-executing scheduled job to facilitate the eventual retrieval of the infostealing payload, according to a Trend Micro analysis. Aside from obtaining computer details and process and directory lists, such an infostealer also targets network adapter details and IP addresses for exfiltration to an external FTP server, said researchers. Such findings should prompt more extensive repository validation and code reviews, binary uploading to VirusTotal, and the avoidance of any obfuscated code.
