Fake Regresshion

Comment from Vladimir Kuskov, Head of Anti-Malware research at Kaspersky

As news of a newly discovered vulnerability in OpenSSH spreads, cybercriminals are intensifying their malicious activities. They are not only exploiting the bug but also targeting cybersecurity researchers analysing the issue. We've discovered that an archive containing malicious code is being distributed on the social network X (formerly known as Twitter) under the guise of an exploit for the recently discovered CVE-2024-6387, also known as regreSSHion.

The posts claim that there is a server with a working exploit for the CVE-2024-6387 vulnerability in OpenSSH. The archive, offered to anyone interested in investigating this attack, allegedly contains a working exploit, a list of IP addresses, and some form of payload. In reality, the archive includes some source code, a set of malicious binaries, and scripts. One of the scripts, written in Python, simulates the exploitation of a vulnerability on servers located at the listed IP addresses. In fact, it launches a file named 'exploit' - a piece of malware designed to achieve persistence in the system, retrieve additional payloads from a remote server, and possibly grant the attacker full control over the infected device.

This serves as a reminder to all information security experts and enthusiasts: do not analyse suspicious code outside of a specially prepared isolated environment where external infrastructure is inaccessible.

More details can be found at the Kaspersky Daily blogpost.

July 09, 2024