Threat Research

“Hold, Verify, Execute: The Surge of Malicious POCs Targeting Security Researchers”

CTI

The SonicWall piece analyzes CVE-2024-5932, a code-injection vulnerability in the GiveWP WordPress plugin, and details a malicious PoC aimed at cybersecurity professionals that can enable crypto mining, data exfiltration, and backdoor activity. It stresses caution when running public PoCs from GitHub and outlines observable indicators and best practices to mitigate risk. #CVE-2024-5932 #GiveWP #XMRig #EQSTLab #GitHub

Keypoints

  • CVE-2024-5932: A code injection vulnerability in the GiveWP WordPress plugin.
  • Malicious POC: Targeting cybersecurity professionals for crypto mining and data exfiltration.
  • GitHub Risks: Public POCs on GitHub can be compromised; researchers must verify scripts before execution.
  • Malicious Code Behavior:
    • Clones a malicious script containing crypto mining code.
    • Makes the script executable and runs it before deleting it.
    • Creates a cronjob for persistence across reboots.
  • Indicators of Compromise: Look for processes named “.x” and check cronjobs and outgoing network connections.
  • Best Practices: Use isolated environments, verify scripts, and check repository issues for warnings.
  • Community Awareness: Researchers flagged the issue on social media platforms.

MITRE Techniques

  • [T1588.005] Obtain Capabilities – Exploits – ‘CVE-2024-5932: A code injection vulnerability in the GiveWP WordPress plugin.’
  • [T1189] Drive-by Compromise – Drive-by compromise – ‘Public POCs on GitHub can be compromised; researchers must verify scripts before execution.’
  • [T1204.002] User Execution: Malicious File – User execution: ‘It clones the specified malicious script from the repository (http[s]://github[.]com/niktoproject/c/blob/main/c[.]sh – malicious), which contains crypto mining code.’
  • [T1053.003] Scheduled Task/Job: Cron – ‘Creates a cronjob to make sure the mining process persists across reboots’
  • [T1070.004] Indicator Removal: File Deletion – ‘It deletes the script’
  • [T1082] System Information Discovery – ‘Collects information of the machine resources, such as RAM and CPU, to use as a unique identifier’
  • [T1496] Resource Hijacking – ‘The mining code uses XMRig miner to mine Monero’

Indicators of Compromise

  • [Process] Crypto mining process – ‘.x’ process consuming resources
  • [Cron] Malicious cronjob – presence of a malicious cronjob in the cron list
  • [Network] Outgoing connections – connections to mining-related ports
  • [URL] Public PoC repositories – https://blog.sonicwall.com/en-us/2024/09/hold-verify-execute-rise-of-malicious-pocs-targeting-security-researchers/ references public PoCs; example repos include https://github.com/EQSTLab/CVE-2024-5932 and http[s]://github.com/niktoproject/CVE-2024-5932
  • [File] Miner executable path – /home//.xconfig/.x

Read more: https://blog.sonicwall.com/en-us/2024/09/hold-verify-execute-rise-of-malicious-pocs-targeting-security-researchers/