Fake Windows LDAP Exploit Deploys Malware

Researchers are warning of a fake proof-of-concept exploit for a flaw in Microsoft’s Windows Lightweight Directory Access Protocol (LDAP), which was patched in Microsoft’s December Patch Tuesday release. 

The fake exploit code is designed to trick security researchers into downloading and executing malware that steals sensitive information, said Sarah Pearl Camiling with Trend Micro in a post last week.

Key Details:

• The fake PoC exploit is related to CVE-2024-49113, a denial-of-service flaw that enables threat actors to crash the LDAP service, resulting in service disruptions

• The PoC exploit was found in a malicious repository. After users execute the file from the repository, a PowerShell drops and leads to an encoded script, which downloads another script from Pastebin

• The malware collects computer information, process lists, directory lists, network IPs, network adapters and installed updates, and uploads them to an external FTP server

The Background: CVE-2024-49113 is a Microsoft flaw that was disclosed last month along with a second LDAP flaw (CVE-2024-49112), a remote code execution bug that threat actors can exploit through sending specially crafted LDAP requests. Both flaws made headlines because they exist in LDAP, which is used widely in Windows environments. After the flaws were initially disclosed in December, SafeBreach released legitimate exploit code for the denial-of-service flaw and called the PoC tool “LDAPNightmare.”

“The malicious repository containing the PoC appears to be a fork from the original creator,” said Trend Micro researchers. “In this case, the original Python files were replaced with the executable poc.exe that was packed using UPX. Although the repository is seemingly normal at first glance, the presence of the executable raises suspicion due to its unexpected presence in a Python-based project.”

Why It Matters: The use of exploit code for malware lures is not new, but attackers continue to find success using this tactic. Organizations should always download code, libraries and dependencies from trusted repositories, and remain cautious of repositories with suspicious content. For instance, repositories with anomalies or signs of malicious activity in their commit history, or with very few stars, forks or contributors, should be scrutinized, said Trend Micro.

“Although the tactic of using PoC lures as [a] vehicle for malware delivery is not new, this attack still poses significant concerns, especially since it capitalizes on a trending issue that could potentially affect a larger number of victims,” according to Trend Micro.