Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit

Jan. 10, 2025, 5:12 p.m.

Description

A fake proof-of-concept exploit for the LDAPNightmare vulnerability (CVE-2024-49113) is being used to distribute information-stealing malware. The malicious repository, disguised as a fork from the original creator, contains an executable file that, when run, drops and executes a PowerShell script. This script creates a Scheduled Job that downloads and executes another script from Pastebin. The malware collects various system information, compresses it, and exfiltrates it to an external FTP server. This attack capitalizes on a trending issue, potentially affecting a large number of victims. To protect against such threats, users are advised to download from trusted sources, be cautious of suspicious content, and review repository details carefully.

External References

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/a/information-stealer-masquerades-as-ldapnightmare-/ioc-information-stealer-masquerades-as-ldapnightmare-poc-exploit.txt
https://www.trendmicro.com/en_us/research/25/a/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html
https://otx.alienvault.com/pulse/67815335ec060166f816d616
Tags
powershell
github
information stealer
CVE-2024-49112
CVE-2024-49113
2025-01-10
ldapnightmare
poc exploit
ftp exfiltration

Date

  • Created: Jan. 10, 2025, 5:04 p.m.
  • Published: Jan. 10, 2025, 5:04 p.m.
  • Modified: Jan. 10, 2025, 5:12 p.m.

Attack Patterns

  • T1120
  • T1048.003
  • T1053.005
  • T1059.001
  • T1012
  • T1016
  • T1082
  • T1057
  • T1105
  • T1083
  • T1560