“Suspicious activity included unexpected network connections, unusual data transfers, and unauthorized system access attempts,” Uptycs said.
Upon investigation, it was found that the PoC is a copy of an old, legitimate exploit for another Linux kernel vulnerability, CVE-2022-34918. The only difference was an additional file “src/aclocal.m4,” which acted as a downloader for a Linux bash script.
The PoC is used to build executables from source code files. It leverages the “make” command to create a “kworker” file and adds its file path to the “bashrc” file, thus enabling the malware to continually operate within a victim’s system. The researchers said this persistence methodology is quite crafty.
Researchers also observed the same profile, ChriSander22 on GitHub, circulating another bogus PoC for VMware Fusion CVE-2023-20871. “Its contents are the same as CVE-2023-35829, with the same aclocal.m4 triggering the installation of the hidden backdoor,” Uptycs said.
Safeguarding against malicious PoCs
It can be challenging to distinguish legitimate PoCs from deceptive ones, adopting safe practices such as testing in isolated environments or virtual machines can provide a layer of protection for security researchers.
In this particular case, Uptycs recommends removing any unauthorized ssh keys, deleting the kworker file, removing the kworker path from the bashrc file, and checking /tmp/.iCE-unix.pid for potential threats.