Hackers are impersonating cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware.
These malicious exploits are promoted by alleged researchers at a fake cybersecurity company named 'High Sierra Cyber Security,' who promote the GitHub repositories on Twitter, likely to target cybersecurity researchers and firms involved in vulnerability research.
The repositories appear legitimate, and the users who maintain them impersonate real security researchers from Rapid7, and other security firms, even using their headshots.
The same personas maintain accounts on Twitter to help add legitimacy to their research and the code repositories like GitHub, as well as draw victims from the social media platform.
This campaign was
discovered by VulnCheck, who reports that it has been underway since at least May 2023, promoting supposed exploits for zero-day flaws in popular software like Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange.
In all cases, the malicious repositories host a Python script ('poc.py') that acts as a malware downloader for Linux and Windows systems.
The script downloads a ZIP archive from an external URL to the victim's computer depending on their operating system, with Linux users downloading 'cveslinux.zip' and Windows users receiving 'cveswindows.zip.'
The malware is saved to the Windows %Temp% or the Linux /home/<username>/.local/share folders, extracted, and executed.
VulnCheck reports that the Windows binary contained in the ZIP ('cves_windows.exe') is flagged by
over 60% of AV engines on VirusTotal. The Linux binary ('cves_linux') is much more stealthy, only caught by
three scanners.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
