Security experts have uncovered a new threat targeting vulnerability researchers: the ChocoPoC malware. This data-stealing trojan masquerades as legitimate exploit code on GitHub, specifically targeting those involved in bug hunting. The malware, found in Python proof-of-concept (PoC) repositories, exploits recently disclosed CVEs to lure unwary researchers.
How ChocoPoC Operates
Once a researcher runs the seemingly harmless PoC, the malware activates, extracting sensitive data such as passwords, cookies, and files. It also grants attackers remote access to the victim’s machine. The findings, published by YesWeHack and Sekoia on July 1, indicate that the malware and its servers are still operational, warning researchers to avoid running these PoCs.
The ChocoPoC threat is cleverly concealed within a Python package dependency. The visible PoC appears clean, while the malicious code hides in a package that the PoC installs, bypassing quick code inspections.
The Mechanism of Attack
The attackers exploit the urgency with which researchers test new flaws. When a significant vulnerability is disclosed, researchers rush to test its impact using community-provided PoCs. This campaign takes advantage of such habits, turning them into infection vectors.
The malware’s deployment involves cloning a repository and executing a pip install command to fetch dependencies. This process includes a package named ‘frint,’ which subsequently brings in another package, ‘skytext.’ The latter carries a compiled file that activates when the PoC is executed, delivering the trojan payload.
Impact and Spread
ChocoPoC is a full-fledged remote access trojan capable of stealing various types of data from browsers and local storage. It can execute arbitrary commands, slow down its activities to remain undetected, and send data to external servers disguised as normal API calls.
YesWeHack and Sekoia identified at least seven fake PoC repositories associated with high-profile vulnerabilities. The ‘skytext’ package alone has been downloaded around 2,400 times, predominantly on Linux systems, paralleling the rise of new CVEs.
Previous campaigns utilizing similar tactics have been linked to the same threat actor. These campaigns have involved different packages and techniques but share control markers, suggesting a consistent operator.
Steps for Protection
Researchers are advised to exercise caution by treating all PoCs as potentially malicious. It’s crucial to examine the entire dependency chain and avoid new or unknown accounts. Testing should be conducted in isolated environments, though this alone may not prevent infection.
Security teams should check systems for any signs of ‘frint,’ ‘skytext,’ ‘slogsec,’ and ‘logcrypt.cryptography’ packages, and monitor for specific file hashes mentioned in reports. If any of these are detected, immediate credential rotation and host rebuilding are recommended.
The larger risk lies in the potential for a double supply chain attack, where compromised researchers inadvertently spread malicious code through widely trusted frameworks. Vigilance and thorough vetting of code sources are essential to mitigate this threat.
