Beware of Fake regreSSHion Exploit Attacking Security Researchers

An alarming new threat has emerged targeting cybersecurity researchers.

An archive containing malicious code is being distributed on the social network X, masquerading as an exploit for the recently discovered CVE-2024-6387 vulnerability, also known as regreSSHion.

EHA

This exploit, which affects OpenSSH, has drawn significant attention from the cybersecurity community.

However, experts warn that this archive is a trap designed to compromise the systems of those who download it.

The Legend Behind the Archive

The deceptive archive has a compelling backstory. It claims to contain a working exploit for the CVE-2024-6387 vulnerability, a list of IP addresses targeted by the exploit, and a payload used in the attacks.

According to the Kaspersky reports, a server is actively using this exploit to attack specific IP addresses, and the archive is offered to anyone interested in investigating these attacks.

This enticing offer lures cybersecurity specialists eager to analyze the exploit and understand its mechanics.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Real Contents of the Malicious Archive

Contrary to its claims, the archive contains a mix of source code, malicious binaries, and scripts.

The source code appears to be a slightly modified version of a non-functional proof-of-concept for the regreSSHion vulnerability, which is already publicly available.

One of the included Python scripts simulates exploiting the vulnerability on servers listed in the IP address file.

However, instead of performing a legitimate analysis, it launches a malicious file named “exploit.

“This malware is designed to achieve persistence in the system and retrieve additional payloads from a remote server.

It saves the malicious code in the /etc/cron.hourly directory and modifies the ls file to include a copy of itself.

This ensures the malicious code is executed repeatedly, compromising the system each time the ls command is run.

Cybersecurity researchers should exercise extreme caution when downloading and analyzing files from untrusted sources, especially those shared on social media platforms.

It is crucial to verify the authenticity of any archive before opening it and to use isolated environments for analysis to prevent potential system compromise.

The regreSSHion exploit may be a significant vulnerability, but falling victim to a fake exploit could have severe consequences for researchers and their systems.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Divya is a Senior Journalist at Cyber Security news covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.