Fake Proof of Concept (POC) Detection: Cyber-Attacks Targeting the InfoSec Community Exploiting Windows CVE-2022-26809 Flaw to Deliver Cobalt Strike Beacon

Researchers warn the global InfoSec community of a new malware campaign aimed to spread the infamous Cobalt Strike Beacon malware via fake Proof of Concept (POC) exploits of the newly patched Windows vulnerabilities, including the critical RCE flaw tracked as CVE-2022-26809. The public availability of fake exploits in GitHub raises the stakes exposing millions of users of the leading open source development platform to severe risks. 

Detect Fake POC Exploits Spreading Cobalt Strike Beacon Malware  

To stay protected, InfoSec practitioners continuously keep track of new security patches for critical CVEs and frequently rely on POC exploits available in such trusted platforms as GitHub, therefore, such cases of fake exploit code releases need special attention from the cyber defense perspective. SOC Prime’s Detection as Code platform curates the interests of its global cybersecurity community providing teams with detection content for critical threats even for the most tricky use cases. To identify the Cobalt Strike Beacon malware strains delivered in this latest adversary campaign that uses a fake POC of the CVE-2022-26809 flaw, explore a dedicated Sigma rule written by our seasoned Threat Bounty developer, Osman Demir:

Suspicious Fake CVE-2022-26809 Proof Of Concept Delivering Cobalt Strike by Detection of Associated User Agent [Targeting InfoSec Community] (via proxy)

This curated hunting query is compatible with 18 industry-leading SIEM, EDR, and XDR solutions and aligned with the MITRE ATT&CK® framework addressing the Application Layer Protocol (T1071) technique from the Command and Control tactic repertoire. Security practitioners can also instantly run hunts in their environment using this query via SOC Prime’s Quick Hunt module. 

To access the entire detection stack related to the CVE-2022-26809 vulnerability and tagged accordingly, click the View Detections button below. Please make sure to log into SOC Prime’s Detection as Code platform or sign up for the kickoff experience to reach the comprehensive collection of detection algorithms. Progressive Threat Hunters and Detection Engineers seeking new ways to boost their professional skills while contributing to the collaborative expertise are welcome to join the Threat Bounty Program to share their detection content with the global community and receive recurring rewards for their input.

View Detections Join Threat Bounty

Fake POC Exploits Delivering Malware: Analysis of Recent Attacks Spreading Cobalt Strike Beacon

Cyble researchers recently investigated the malicious samples hosted on the GitHub repository pointing to fake POC exploits of the Windows flaw identified as CVE-2022-26809 with CVSS score of 9.8. The CVE-2022-26809 vulnerability in the Remote Procedure Call (RPC) Runtime Library can be exploited by sending a special RPC call to the corresponding host. One month ago, Microsoft released a dedicated advisory with the details on how to address this flaw and suggested mitigations. 

The above-mentioned research also revealed another fake POC GitHub repository disguised as the CVE-2022-24500 exploit code belonging to the same adversary profile. According to the conducted analysis, threat actors (TA) used fake POCs to deliver Cobalt Strike Beacon malware to target the global cybersecurity community. The malware runs a PowerShell command to deploy the Cobalt Strike Beacon payload, which can potentially trigger an infection chain allowing attackers to execute other payloads on the compromised systems. The investigation also revealed no traces of exploits for the above-referenced Windows vulnerabilities within the malicious code hosted on GitHub. The malware simply prints fake messages displaying its attempts to exploit and run the shellcode. 

Cobalt Strike Beacon is the default malware payload actively delivered in this spring’s phishing campaigns targeting Ukrainian state bodies, including the SaintBear threat group’s cyber-attack distributing fake emails where it was part of the infection chain also involving the distribution of two other malware strains, GrimPlant and GraphSteel backdoors.

Following the best practices of cyber hygiene, InfoSec practitioners are recommended to make sure the sources to be downloaded are credible before leveraging any POCs from publicly available resources. Such sophisticated cyber-attacks with malware disguised as POC exploits emphasize the role of collaborative cyber defense, which helps boost the cybersecurity awareness across the entire InfoSec community and acts as a powerful source to confront adversary campaigns. SOC Prime’s platform turns the power of collaborative cyber defense into innovation and enables Detection-as-Code operations in action helping teams regardless of their maturity level and security toolkit in use stay ahead of attackers.