Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit

    Friday, January 10, 2025 In: Threat Research Print

    Date: 01/10/2025

    Severity: Medium

    Summary

    In December 2024, two critical vulnerabilities in Microsoft's Windows LDAP were addressed, including CVE-2024-49113, a denial-of-service (DoS) vulnerability. A fake proof-of-concept (PoC) exploit for CVE-2024-49113, known as LDAPNightmare, has been used to lure security researchers into downloading and executing information-stealing malware. While using PoC lures for malware delivery is not new, this attack is concerning due to its exploitation of a widely impactful issue, increasing the risk of a larger number of victims.

    Indicators of Compromise (IOC) List

    URL/Domain

    ftp://ftp.drivehq.com/wwwhome/

    ftp://ftpupload.net/htdocs

    https://pastebin.com/raw/9TxS7Ldc

    Hash

    ef4ba8eef919251f7502c7e66926bb3a5422065b

d4a35487b95cc2b44395047717358bb2863a5311

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "ftp://ftp.drivehq.com/wwwhome/" or url like "ftp://ftp.drivehq.com/wwwhome/" or userdomainname like "ftp://ftpupload.net/htdocs" or url like "ftp://ftpupload.net/htdocs" or userdomainname like "https://pastebin.com/raw/9TxS7Ldc" or url like "https://pastebin.com/raw/9TxS7Ldc" 

    Detection Query 2

    sha1hash IN ("d4a35487b95cc2b44395047717358bb2863a5311","ef4ba8eef919251f7502c7e66926bb3a5422065b")

    Reference: 

    https://www.trendmicro.com/en_us/research/25/a/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html          


    Tags

    CVE - 2024MalwareLDAPNightmareExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.