网络安全专家发现，社交网络X上正在传播一个伪装成CVE-2024-6387漏洞利用工具的恶意代码压缩包。攻击者试图通过该压缩包诱骗安全研究人员。该压缩包实际上包含一些源代码、恶意二进制文件和脚本，其中包含一个模拟漏洞利用的脚本，该脚本会启动一个恶意文件来实现系统持久化并从远程服务器获取额外有效负载。攻击者利用研究人员在分析恶意代码时可能禁用安全解决方案的习惯，从而使用其他恶意代码入侵研究人员的计算机。

😨 **恶意代码伪装成CVE-2024-6387漏洞利用工具进行传播**: 攻击者利用社交网络X传播一个伪装成CVE-2024-6387漏洞利用工具的恶意代码压缩包，试图诱骗安全研究人员。该压缩包声称包含一个可用的漏洞利用工具、IP地址列表和某种有效负载。

🕵️ **压缩包实际内容**: 压缩包实际上包含一些源代码、恶意二进制文件和脚本。其中，一个用Python编写的脚本模拟了对IP地址列表中服务器的漏洞利用，实际上它会启动一个名为“exploit”的恶意文件，该文件用于实现系统持久化并从远程服务器获取额外有效负载。

🛡️ **如何保持安全**: 攻击者利用研究人员在分析恶意代码时可能禁用安全解决方案的习惯，从而使用其他恶意代码入侵研究人员的计算机。因此，建议所有信息安全专家和喜欢分析可疑代码的人员在安全隔离的环境中分析恶意代码，以防止外部基础设施访问。

👮 **卡巴斯基产品检测**: 卡巴斯基产品使用以下检测结果来检测此攻击的元素：UDS:Trojan-Downloader.Shell.FakeChecker.a、UDS:Trojan.Python.FakeChecker.a、HEUR:Trojan.Linux.Agent.gen、Virus.Linux.Lamer.b、HEUR:DoS.Linux.Agent.dt。

🚨 **regreSSHion漏洞**: 尽管CVE-2024-6387（regreSSHion）漏洞存在，但其实际利用并不容易。

An archive containing malicious code is being distributed on the social network X (formerly known as Twitter), under the guise of an exploit for the recently discovered CVE-2024-6387 aka regreSSHion. According to our experts, this may be an attempt to attack cybersecurity specialists. In this post we explain what actually is in the archive and how attackers are trying to lure researchers into a trap.

The legend behind the archive

Presumably, there is a server that has a working exploit for the CVE-2024-6387 vulnerability in OpenSSH. Moreover, this server actively uses this exploit to attack a list of IP addresses. The archive, offered to anyone wishing to investigate this attack, allegedly contains a working exploit, a list of IP addresses and some kind of payload.

Real contents of the malicious archive

In fact, the archive contains some source code, a set of malicious binaries and scripts. The source code looks like a slightly edited version of a non-functional proof-of-concept for this vulnerability, which was already distributed in the public domain.

One of the scripts, written in Python, simulates the exploitation of a vulnerability on servers located at IP addresses from the list. In reality, it launches a malicious file called exploit — a malware that serves to achieve persistence in the system and to retrieve additional payload from a remote server. The malicious code is saved in a file located at the /etc/cron.hourly directory. In order to achieve persistence, it modifies the ls file and writes a copy of itself into it, repeating the execution of malicious code every time it is launched.

How to Stay Safe

Apparently, the authors of the attack are counting on the fact that, when working with obviously malicious code, researchers tend to disable security solutions and focus on analyzing the exchange of data between the malware and a server vulnerable to CVE-2024-6387. Meanwhile, completely different malicious code will be used to compromise the researchers’ computers.

Therefore, we remind all information security experts and other persons who like to analyze suspicious code not to work with malware outside of a specially prepared isolated environment, from which external infrastructure is inaccessible.

Kaspersky products detect elements of this attack with the following verdicts:

UDS:Trojan-Downloader.Shell.FakeChecker.aUDS:Trojan.Python.FakeChecker.aHEUR:Trojan.Linux.Agent.genVirus.Linux.Lamer.bHEUR:DoS.Linux.Agent.dt

As for the regreSSHion vulnerability, as we wrote earlier, its practical exploitation is far from being simple.