The Apache ActiveMQ Vulnerability, identified as CVE-2023-46604, was exploited by Mauri Ransomware threat actors to install CoinMiners.
Threat actors were detected continuously launching attacks on unpatched, vulnerable Apache ActiveMQ services. Once the compromised machine has been infected, threat actors can either install ransomware or steal data.
Researchers claim that the vulnerability was exploited soon after it was made public, with Korean PCs showing attack scenarios, including the Andariel group, HelloKitty ransomware, and Cobalt Strike.
Additionally, tools like Ladon, Netcat, AnyDesk, and z0Miner have been used to target unpatched systems repeatedly.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Understanding The Apache ActiveMQ Vulnerability
CVE-2023-46604 is a significant remote code execution vulnerability in the Apache ActiveMQ server, which is an open-source messaging and pattern server.
The threat actor can remotely carry out malicious operations and take control of the target system if an unpatched Apache ActiveMQ server is exposed externally.
Vulnerability attacks are executed by creating an instance of the class in the classpath by modifying the serialized class type in the OpenWire protocol.
The susceptible server loads the class XML configuration file by referencing the path (URL) in the modified packet that the threat actor sends.
“Mauri ransomware threat actors are suspected of exploiting the vulnerability, resulting in Frpc being installed by the vulnerable ActiveMQ process”, AhnLab reports.
“Upon examining the server where the malware was downloaded, various malware, legitimate tools, and class XML configuration files were found”.
FRP (Fast Reverse Proxy) is an open-source utility written in Go that can serve as a reverse proxy, exposing systems behind NAT or firewalls to the outside world. FRP has been divided into Frpc and Frps.
Frpc is the tool that is installed on compromised systems to connect an external relay to the port of the service that needs to be exposed.
The threat actor attempts to employ the XML files in a sequential manner. The first type inserts a backdoor account called “adminCaloX1” and runs commands to register it as an admin account and grant RDP access.
Commands to download and run Frpc and configuration files are also available to provide RDP access to systems within a private network.
Backdoor Account Registration
Adding a backdoor account can be accomplished through direct command execution that exploits the ActiveMQ vulnerability, but it also employs the open-source program CreateHiddenAccount.
Quasar RAT, an open-source RAT malware created with.NET, was found to be a back door.
Like most other RAT malware, it performs system activities such as process, file, and registry management, as well as functionality like remote command execution and file download and uploading.
In addition, Quasar RAT includes keylogging and account information gathering features, allowing for the theft of information from user environments and real-time control over infected systems via remote desktop.
The Mauri ransomware was created for research purposes by a developer going by the moniker “mauri870.” Because the source code is openly accessible, other threat actors commonly take advantage of it.
Previously, the Mimo employed Mauri ransomware under the moniker Mimus in attacks.
Affected Versions
- Apache ActiveMQ versions 5.18.0 – 5.18.2
- Apache ActiveMQ versions 5.17.0 – 5.17.5
- Apache ActiveMQ versions 5.16.0 – 5.16.6
- Apache ActiveMQ versions 5.15.15 or earlier
- Apache ActiveMQ Legacy OpenWire Module versions 5.18.0 – 5.18.2
- Apache ActiveMQ Legacy OpenWire Module versions 5.17.0 – 5.17.5
- Apache ActiveMQ Legacy OpenWire Module versions 5.16.0 – 5.16.6
- Apache ActiveMQ Legacy OpenWire Module versions 5.8.0 – 5.15.15
To stop attacks that make use of known vulnerabilities, system administrators should verify whether the Apache ActiveMQ service they are using is one of the vulnerable versions and update V3, the most recent version, to prevent malware infiltration in advance.
IoC’s
MD5
07894bc946bd742cec694562e730bac8 25b1c94cf09076eb8ce590ee2f7f108e 2c93a213f08a9f31af0c7fc4566a0e56 2e8a3baeaa0fc85ed787a3c7dfd462e7 3b56e1881d8708c48150978da14da91e
URL
http[:]//18[.]139[.]156[.]111[:]83/Google[.]zip http[:]//18[.]139[.]156[.]111[:]83/a[.]exe http[:]//18[.]139[.]156[.]111[:]83/brave[.]exe http[:]//18[.]139[.]156[.]111[:]83/c[.]ini http[:]//18[.]139[.]156[.]111[:]83/chrome[.]exe
IP
18[.]139[.]156[.]111
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses
The post Mauri Ransomware Exploiting Apache ActiveMQ Vulnerability appeared first on Cyber Security News.
