Malware

New ChocoPoC trojan targets security researchers with fake exploit code

The Hacker News reports that attackers are distributing a data-stealing trojan, known as ChocoPoC, disguised as legitimate exploit code within Python proof-of-concept (PoC) repositories on GitHub. These fake repositories claim to exploit newly discovered vulnerabilities (CVEs), luring security researchers into downloading and running malicious code, according to a joint report by YesWeHack and Sekoia.

ChocoPoC operates by hiding its malicious payload within a Python package that is pulled in as a dependency by the seemingly harmless PoC code. This technique allows the malware to bypass casual code reviews. When a researcher clones a repository and installs the PoC's requirements, it installs packages like "frint" and "skytext". The "skytext" package contains a compiled file that executes when the PoC is run, unpacking the trojan.

Once active, ChocoPoC steals saved passwords, browser cookies, and various files from browsers like Chrome, Brave, Edge, and Firefox. It also gathers shell history, network settings, and can execute arbitrary shell commands on the compromised machine. The malware communicates with its command-and-control servers using a domain-fronting technique, making its traffic appear as legitimate Mapbox API calls.

Researchers at YesWeHack and Sekoia identified at least seven fake PoC repositories linked to high-profile CVEs, with the "skytext" package alone downloaded approximately 2,400 times. This campaign poses a significant risk as it targets security researchers, potentially leading to a double supply chain attack if compromised code is integrated into widely used security frameworks.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds