Microsoft’s December 2024 Patch Tuesday release addressed two critical Windows LDAP vulnerabilities that could be exploited by remote attackers to execute arbitrary code on vulnerable systems, potentially enabling them to gain control over affected devices.
CVE-2024-49112 enables remote attackers to execute arbitrary code on a target system by sending malicious LDAP requests, while CVE-2024-49113 allows attackers to crash the LDAP service, causing a denial-of-service condition.
Malicious actors exploit the rising popularity of Proof-of-Concept (PoC) exploits by embedding malware within them, increasing the likelihood of widespread victim impact due to the inherent appeal and rapid dissemination of such proof-of-concept code.
They forked a legitimate Python repository, replacing original Python files with a packed executable (poc.exe) likely containing malicious code, which unexpected executable in a Python project indicates potential malicious activity.
In addition to dropping and running a PowerShell script in the %Temp% folder, this file also generates a scheduled job that runs an encoded script after it has been successfully executed.
Following the acquisition of the victim’s public IP address, the decoded script retrieves a secondary script from Pastebin and then sends it to a remote server using the File Transfer Protocol (FTP).
The script collects system data, including computer information, running processes, selected directory contents, network details, installed updates, and compresses it with ZIP. Subsequently, it uploads the compressed archive to an external FTP server using embedded credentials.
According to Trend Micro, leveraging robust code signing, vulnerability scanning, and continuous monitoring coupled with rigorous code reviews and developer training effectively mitigates the risk of deploying malicious code from compromised repositories.
It is important to verify the origins of the code, giving official and trusted repositories priority. Scrutinize repositories for unexpected content and confirm the identity of the owner or organization to mitigate risks.
The repository analysis reveals suspicious activity, including infrequent commits, a low number of contributors and stars, and a lack of community engagement, suggesting potential malicious intent or low-quality code.
