FOCUS MODE
EXTRACT IOC
Threat Research

LDAPNightmare Spoof Stealer

K7computing
LDAPNightmare Spoof Stealer
This article discusses a proof-of-concept exploit related to CVE-2024-49112 published by Safebreach Labs. Due to a typographical error, the exploit was incorrectly labeled as CVE-2024-49113, which allowed threat actors to create a malicious GitHub repository falsely claiming to host the original exploit. The article highlights the security risks associated with such errors and provides insights into the malware’s behavior, including data collection and FTP uploads. Affected: CVE-2024-49112, CVE-2024-49113, GitHub, FTP servers

Keypoints :

  • Safebreach Labs published a POC exploit for CVE-2024-49112 on January 1, 2025.
  • A typographical error led to incorrect attribution to CVE-2024-49113.
  • Threat actors exploited this error by creating a malicious GitHub repository.
  • The malicious file masqueraded as the legitimate POC exploit.
  • The crafted file was first detected in the wild on January 6, 2025.
  • The file was packed with UPX and executed a PowerShell script with admin privileges.
  • The PowerShell script collected sensitive information from the victim’s device.
  • Data from the victim was uploaded to an external FTP server.
  • A scheduled job was created to run the malware daily at 10:00 AM with elevated permissions.
  • Recommendations include using reputable security products to safeguard against such threats.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: FTP used to exfiltrate data.
  • T1059.001 – Command and Scripting Interpreter: PowerShell script executed with admin privileges.
  • T1070.001 – Indicator Removal on Host: Scheduled task created to maintain persistence.
  • T1036.004 – Masquerading: File disguised as a legitimate POC exploit.
  • T1078.001 – Valid Accounts: Use of hardcoded credentials for FTP uploads.

Indicator of Compromise :

  • [URL] https://github.com/YoonJae-rep/CVE-2024-49113/raw/refs/heads/main/poc.exe
  • [URL] http://pastebin.com/raw/9TxS7Ldc
  • [MD5] 8A159707810806A8FAEF802D10036883
  • [MD5] 315F561E0CDDE12F8160D1B30904E618
  • [MD5] 7DD4A1BEC8B624F5C93AD6630738E07F

Full Story: https://labs.k7computing.com/index.php/ldapnightmare-spoof-stealer/

Tags: CVE, WINDOWS, COLLECTION, PERSISTENCE, EXPLOIT