Threat Overview

A recent threat report published by AlienVault on January 10, 2025, has brought to light a new information stealing malware attack leveraging a fake proof-of-concept exploit for the LDAPNightmare vulnerability (CVE-2024-49113). This attack highlights the evolving tactics of threat actors looking to capitalize on trending issues and could potentially affect a large number of victims.

Attack Details

According to the report, a malicious Git repository has been created, appearing to be a fork from the original creator. However, it contains an executable file that drops and executes a PowerShell script when run. This script creates a Scheduled Job that downloads and executes another script from Pastebin. The malware then proceeds to collect various system information, compresses it, and exfiltrates it to an external FTP server.

Threat Actor Group

The short description of the actor group in this report is not provided.

Recommended Actions

To protect against such threats, users are advised to:

* Download software and scripts from trusted sources only.

* Be cautious of suspicious content and repository details;

* Regularly update and patch systems to prevent exploitation of known vulnerabilities.

Resources

The full threat report is available at the following links:

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/25/a/information-stealer-masquerades-as-ldapnightmare-/ioc-information-stealer-masquerades-as-ldapnightmare-poc-exploit.txt

https://www.trendmicro.com/en_us/research/25/a/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html

Status and Reliability

The report  is completely reliable with a confidence level of 100. There are 63 connected elements present in the report.