AI Security AI安全 8d ago Updated 8d ago 更新于 8天前 46

New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos 新型ChocoPoC RAT通过伪造PoC漏洞利用仓库针对漏洞研究人员

ChocoPoC is a Remote Access Trojan (RAT) disguised within Python proof-of-concept (PoC) repositories on GitHub, specifically targeting vulnerability researchers. The malware utilizes a sophisticated supply chain attack by hiding in indirect dependencies (`frint` and `skytext`) to evade standard code reviews and static analysis. Command and Control (C2) communications are obfuscated using Mapbox datasets via DNS-over-HTTPS and domain fronting to blend in with legitimate traffic. The campaign targ ChocoPoC 是一种针对漏洞研究人员的高级恶意软件,通过伪装成热门 CVE 的 Python PoC 代码在 GitHub 上分发。 攻击者利用依赖注入技术,将恶意代码隐藏在 `frint` 和 `skytext` 等第三方包中,从而绕过快速代码审查。 该木马具备完整的远程访问功能,可窃取浏览器凭证、文件及系统信息,并利用 Mapbox 地图数据作为隐蔽的命令与控制(C2)信道。 攻击者利用研究人员在重大漏洞曝光时的时间压力心理,已发现至少七个关联高危漏洞的虚假仓库,且下载量随漏洞公开激增。 检测难度在于恶意载荷具有环境感知能力,仅在检测到真实 PoC 文件时才激活,导致传统沙箱分析容易漏

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • ChocoPoC is a Remote Access Trojan (RAT) disguised within Python proof-of-concept (PoC) repositories on GitHub, specifically targeting vulnerability researchers.
  • The malware utilizes a sophisticated supply chain attack by hiding in indirect dependencies (frint and skytext) to evade standard code reviews and static analysis.
  • Command and Control (C2) communications are obfuscated using Mapbox datasets via DNS-over-HTTPS and domain fronting to blend in with legitimate traffic.
  • The campaign targets high-value assets by compromising researchers who handle sensitive credentials and unpatched exploits, posing a significant secondary risk to security frameworks.

Why It Matters

This incident highlights a critical shift in threat vectors where social engineering exploits the professional urgency of security researchers to test new vulnerabilities. By embedding malware in trusted-looking dependency chains, attackers bypass traditional perimeter defenses and code auditing practices, demonstrating that the software supply chain remains a primary attack surface even for security professionals.

Technical Details

  • Delivery Mechanism: Attackers publish fake PoC repositories for high-profile CVEs (e.g., FortiWeb, React2Shell). Users running pip install inadvertently download malicious packages frint and skytext.
  • Evasion Techniques: The malware includes a compiled component (gradient.so/.pyd) that remains dormant unless it detects the presence of the specific PoC file (e.g., EXPLOIT_POC.py), allowing it to evade sandbox detonation without the full context.
  • Data Exfiltration: ChocoPoC harvests browser data (passwords, cookies, history) from major browsers, local files, shell history, and network configurations.
  • C2 Infrastructure: Commands are retrieved from Mapbox datasets using DNS-over-HTTPS and domain fronting to mimic legitimate API calls, while larger data uploads are sent to a dedicated IP address.

Industry Insight

  • Dependency Auditing Rigor: Security teams must enforce strict auditing of all indirect dependencies in PoC environments, not just the primary script, as malicious code can be buried deep in the package tree.
  • Operational Security for Researchers: Vulnerability researchers should treat all external PoC code as potentially hostile and utilize isolated, ephemeral virtual machines with network segmentation to prevent credential theft and lateral movement.
  • Supply Chain Risk Management: Organizations relying on community-driven detection frameworks (like Nuclei) must implement verification protocols for third-party modules to prevent poisoned tools from being distributed to wider user bases.

TL;DR

  • ChocoPoC 是一种针对漏洞研究人员的高级恶意软件,通过伪装成热门 CVE 的 Python PoC 代码在 GitHub 上分发。
  • 攻击者利用依赖注入技术,将恶意代码隐藏在 frintskytext 等第三方包中,从而绕过快速代码审查。
  • 该木马具备完整的远程访问功能,可窃取浏览器凭证、文件及系统信息,并利用 Mapbox 地图数据作为隐蔽的命令与控制(C2)信道。
  • 攻击者利用研究人员在重大漏洞曝光时的时间压力心理,已发现至少七个关联高危漏洞的虚假仓库,且下载量随漏洞公开激增。
  • 检测难度在于恶意载荷具有环境感知能力,仅在检测到真实 PoC 文件时才激活,导致传统沙箱分析容易漏报。

为什么值得看

这篇文章揭示了针对安全研究社区的新型供应链攻击手法,展示了攻击者如何利用社会工程学和技术隐蔽性双重手段突破防御。对于 AI 和安全从业者而言,理解这种“依赖污染”与“环境感知”结合的恶意软件行为模式,有助于优化自动化代码审计工具和威胁情报监测策略。

技术解析

  • 隐蔽传播机制:恶意代码不直接存在于主 PoC 脚本中,而是通过 pip install 拉取的依赖包 frint 引入次级包 skytextskytext 包含编译后的二进制文件(Linux 下的 gradient.so 或 Windows 下的 gradient.pyd),实现了代码混淆和静态分析规避。
  • 环境感知触发:恶意模块启动后会检查是否存在名为 EXPLOIT_POC.py 的文件。只有当真实 PoC 存在时,才会解压并执行后续载荷。这一设计使得单独分析恶意包或在无上下文沙箱中运行无法触发警报。
  • 隐蔽 C2 通信:控制指令通过 Mapbox 地图数据集进行隐藏传输,利用 DNS-over-HTTPS 和域名前置(Domain Fronting)技术,使流量看起来像正常的地图 API 调用。大文件上传则指向独立服务器 IP。
  • 数据窃取范围:作为 RAT,ChocoPoC 能够提取 Chrome、Brave、Edge 和 Firefox 中的密码、Cookie 和历史记录,同时收集本地文本文件、数据库、Shell 历史及进程列表,并支持任意命令执行。
  • 代码特征:代码中包含西班牙语命令命名和一些手写痕迹明显的 Bug,研究人员据此判断其为人工编写而非 AI 生成,且该活动与前期的 slogseclogcrypt.cryptography 活动由同一攻击者实施。

行业启示

  • 重构代码信任模型:安全研究人员和开发者必须摒弃“PoC 即无害”的思维定势,任何来自非官方或新账户的代码都应视为潜在威胁,需进行严格的依赖链审计而非仅查看主脚本。
  • 强化供应链监控:由于攻击者可能通过污染研究人员进而影响下游框架(如 Nuclei、MDUT),企业和安全厂商需加强对第三方库和工具链的完整性校验,防范双重供应链投毒风险。
  • 改进威胁检测策略:传统的静态分析和孤立沙箱检测已不足以应对此类环境感知型恶意软件,需要结合动态行为监控、网络流量异常检测(如 Mapbox API 的异常使用)以及依赖关系图谱分析来提升检出率。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Research 科学研究