Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering a Python-based remote access trojan (RAT) named ChocoPoC that can execute commands and steal sensitive data in a campaign believed to target cybersecurity researchers.
Hiding malware in PoC exploits for various vulnerabilities is not new, as there are examples of threat actors posing as real security researchers and taking advantage of trending vulnerabilities to target vulnerability and penetration testers or low-skilled hackers.
However, ChocoPoC stands out for not embedding the malware directly in the exploit file but for adding malicious Python packages to the PoC’s dependency list.
According to researchers at cybersecurity company Sekoia, the packages are hosted on the Python Package Index (PyPI), a platform used by Python developers to source and share code.
Once the victim clones a malicious repository, a trojanized package named ‘frint’ is automatically fetched and installed on their systems.
Example of a malicious repository
Source: Sekoia
During installation, the package pulls a malicious dependency package, ‘skytext,’ which contains a compiled native Python extension.
When the PoC executes, the extension runs automatically and decrypts additional embedded Python code that triggers a downloader to retrieve the final payload, ChocoPoC, from a Mapbox dataset.
The ChocoPoC RAT has the following capabilities:
... continue reading