New ChocoPoC Malware Targets Researchers via Trojanized PoC Exploits
New ChocoPoC Malware Targets Researchers 🚨
A new threat has emerged in the cybersecurity landscape! Multiple weaponized proof-of-concept (PoC) exploits on GitHub have been discovered delivering a Python-based remote access trojan (RAT) named ChocoPoC. This malware is designed to execute commands and steal sensitive data, specifically targeting cybersecurity researchers.
How It Works 🔍
ChocoPoC is unique because it does not embed the malware directly in the exploit file. Instead, it adds malicious Python packages to the PoC’s dependency list. These packages are hosted on the Python Package Index (PyPI), a platform used by developers to share code. When a victim clones a malicious repository, a trojanized package named ‘frint’ is automatically fetched and installed on their systems. This package then pulls a malicious dependency, ‘skytext,’ which contains a compiled native Python extension.
Once the PoC executes, the extension runs automatically, decrypting additional embedded Python code that triggers a downloader to retrieve the final payload, ChocoPoC, from a Mapbox dataset.
Capabilities of ChocoPoC 💻
The ChocoPoC RAT has several alarming capabilities:
- Execute arbitrary shell commands and Python code
- Upload files and directories
- Collect browser passwords, cookies, autofill data, and browsing history
- Search for text files, markdown documentation files, and database files
- Gather shell history from the host
- Collect network configuration
- Enumerate running processes
Sekoia has identified at least seven PoC repositories on GitHub that distribute ChocoPoC and host exploits for various vulnerabilities, including FortiWeb and Joomla SP Page Builder. Notably, the skytext package was downloaded 2,400 times, primarily on Linux-based systems.
Previous Campaigns 🔄
Before using frint and skytext, the campaign utilized two other packages, ‘slogsec’ and ‘logcrypt.cryptography,’ which had similar source code and delivered the same ChocoPoC payload. Researchers found that credentials for two of the emails used in these campaigns appeared in leak databases, indicating a high likelihood of compromised accounts being used to publish malicious PyPI packages and PoCs.
Recommendations 🛡️
Cybersecurity professionals, especially vulnerability and penetration testers, are advised to exercise caution. It is crucial to never blindly trust GitHub repositories and to execute unverified code only in isolated environments.
For more details, check out the full article: Read full article