A misleading proof-of-concept (PoC) exploit for CVE-2024-49113 (also known as LDAPNightmare) on GitHub is infecting users with infostealer malware. That exfiltrates sensitive data to a remote FTP server.
The tactic employed is not new, as there are several documented cases of malicious tools masquerading as PoC exploits on GitHub. This particular case, discovered by Trend Micro, shows that threat actors continue to use the tactic to trick unsuspecting users into infecting themselves with malware.
Trend Micro reports that the malicious GitHub repository contains a project that appears to come from SafeBreach Labs’ legitimate PoC for CVE-2024-49113, published on Jan. 1, 2025.
The vulnerability is one of two affecting the Windows Lightweight Directory Access Protocol (LDAP). Microsoft fixed it in the December 2024 Patch Tuesday. The other involves a critical remote code execution (RCE) vulnerability, designated CVE-2024-49112.
Misquote
SafeBreach’s original blog post about the PoC incorrectly listed CVE-2024-49112 when in fact, their PoC related to CVE-2024-49113. This is a less serious denial-of-service vulnerability.
This error, even when later corrected, created more interest and fuss around LDAPNightmare and its potential attacks. This was likely the intention of the threat actors.
Users downloading the PoC from the malicious repository receive a UPX-packed executable poc.exe. That places a PowerShell script in the victim’s %Temp% folder.
The script creates a scheduled task on the compromised system, which executes an encrypted script that retrieves a third script from Pastebin. The latter payload collects information about the computer, processes, directory listings, IP address and network information, and installed updates. It then uploads this data as a ZIP archive to a remote FTP server using hardcoded login credentials. A list of indicators of compromise for this attack can be found here.
GitHub users using public exploits for research or testing should proceed with caution and preferably rely only on cybersecurity companies and researchers in good standing.
Threat actors have tried to impersonate well-known security researchers, so validating the authenticity of repositories is also crucial.