Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)

by Prapattimynk, Monday, 27 November 2023 (6 months ago)
Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)


While monitoring recent attacks by the Andariel threat group, AhnLab Security Emergency response Center (ASEC) has discovered the attack case in which the group is assumed to be exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware.

The Andariel threat group usually targets South Korean companies and institutions, and the group is known to be either in a cooperative relationship of the Lazarus threat group, or a subsidiary group of Lazarus. Their attacks against South Korea were first identified in 2008, and their main targets include national defense, political organizations, shipbuilding, energy, and telecommunications. South Korean companies and institutions besides these that were targeted include universities, logistics, and ICT companies. [1] (This link is only available in Korean.)

The Andariel threat group has been employing spear phishing, watering hole, and supply chain attacks from the past [2]. Recently, cases have been identified where the group exploits a Log4Shell vulnerability [3], target poorly managed MS-SQL servers, or abuse legitimate software. [4]

There are no direct logs as of now, but it is assumed that the Andariel group is exploiting a remote code execution vulnerability in Apache ActiveMQ servers to install NukeSped and TigerRat backdoors. This post will provide a summary on the cases of attacks against Apache ActiveMQ servers, and the grounds on which the Andariel group is suspected of abusing these in attacks.

1. Cases of Attacks Exploiting Apache ActiveMQ Vulnerability

CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ, an open-source messaging and integration pattern server. If an unpatched Apache ActiveMQ server is exposed externally, the threat actor can execute malicious commands remotely and take control over the system.

Various threat actors have been exploiting this to install malware after information on this vulnerability was revealed. One major example is the case of HelloKitty ransomware attacks covered by Rapid7. [5] This case was also discovered in the AhnLab Smart Defense (ASD) logs, which means that systems in South Korea are also becoming targets of the CVE-2023-46604 vulnerability attacks.

Figure 1. Logs of attempting to install HelloKitty ransomware

While monitoring attacks by the Andariel group, ASEC found NukeSped, a backdoor that the Andariel group has been using from the past, being installed in a certain system. Investigations revealed that Apache ActiveMQ server was installed in this system, and it was confirmed that there were various attack logs from late October when information on the CVE-2023-46604 vulnerability was released, including those involving the HelloKitty ransomware.

Figure 2. Various attack logs found in the infected system

The threat actor used the following malicious Java class file during the vulnerability attack process. This malware ultimately downloads and installs an additional payload in Windows or Linux environments. This malware also appeared in a case in a recent report by Huntress. [6]

Figure 3. Malicious Java class file that acts as a downloader

Aside from these known attacks, CobaltStrike and Metasploit Meterpreter’s Stager installation logs were also found. Based on these evidences, it can be assumed that although it has not been long since information regarding the CVE-2023-46604 vulnerability was revealed, unpatched systems are becoming targets of numerous attacks in such a short time period.

Figure 4. Metasploit Meterpreter’s Stager installation log

Figure 5. CobaltStrike Beacon configuration data by CobaltStrikeParser [7]

2. NukeSped Malware – Andariel Group

2.1. Circumstances of an Attack Exploiting CVE-2023-46604 Vulnerability

While analyzing systems in which various Apache ActiveMQ were attacked, a system with the Nukesped backdoor used by the Andariel group was found. Although there were no direct logs showing that NukeSped was installed through exploitation of the CVE-2023-46604 vulnerability, there is a possibility that the Andariel group exploited CVE-2023-46604 vulnerability for the attack, considering that no other attacks were confirmed except for the exploiting one and that the malware installation log was confirmed while the attack was ongoing.

The analyzed system had repeatedly became a target of attacks since late October when the first attack which exploited the CVE-2023-46604 vulnerability was discovered. In particular, seeing that HelloKitty ransomware, mentioned in the Rapid7 report, and that a downloader mentioned in a Huntress report were detected together, it is deemed to be a vulnerable Apache ActiveMQ server. While no specific malware was mentioned in the Huntress report, a case was covered where a malicious payload was installed from the URL “hxxp://27.102.128[.]152:8098/bit[.]ico” through exploitation of the CVE-2023-46604 vulnerability.

This address, covered in a past Blog post, corresponds to the URL where TigerRat was downloaded from. It is also the address where the “oracle” malware in the following log was downloaded from, as well as being the C&C server URL. While the malware files were not collected, TigerRat was installed under the names “rang.exe” and “load.exe”.

Figure 6. URL used to install TigerRat

Of course, the Andariel group often used disclosed vulnerabilities such as the Log4Shell and TeamCity vulnerabilities [8] in its attacks in the past.

2.2. NukeSped Backdoor

NukeSped is a backdoor that can control the infected system through commands received from the C&C server. This is usually used by the Lazarus and Andariel groups to control infected systems. The NukeSped used in the attacks is similar to “NukeSped Variant – Type 1” covered in the past Blog post, “Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group)”.

The NukeSped version used in the recent attacks only support three commands: downloading files, executing commands, and terminating running processes. Although the NukeSped in previous attack cases supported a much wider range of commands, aside from this, most features are the same.

Like typical NukeSped types, all the API addresses and strings to be used are encrypted, then decrypted and used at runtime. The encryption method is a 1-byte XOR algorithm with the key value 0xA1. Besides 0xA1, in past attack cases, key values 0x97 and 0xAB were also used.

Figure 7. XOR-encrypted string using the 0xA1 key

When NukeSped first connects to the C2, it sends a HTTP request in the following format.

Figure 8. Packet upon the first connection to the C&C server

HTTP Request HeaderValueDescription
Sec-Fetch-Mode10 (0x0A)Initial connection
Sec-Fetch-UserS-[Computer Name]Computer name of the infected system
Sec-Fetch-Dest01Initial connection

Table 1. Format upon the first connection to the C&C server

Afterwards, an HTTP response is received from the C&C server, and each of the strings in the following table are checked. If any string exists in the response, the value of “Sec-Fetch-Mode:” is recognized as a command and subsequent routines are executed.

HTTP Response HeaderDescription
“HTTP/1.1 200 OK
Content-Type: text/html
Default response format
“Sec-Fetch-Mode:”Command
“Content-Length:”Command length

Table 2. Format of commands received from the C&C server

The following three commands are supported. The only actual available actions are downloading files from the C&C server, executing commands received from the C&C, and returning their results.

CommandFeature
30 (0x1E)Downloading files
33 (0x21)Executing commands and returning their results
34 (0x22)Terminating running processes

Table 3. Commands supported by NukeSped

During the initial communication with the C&C server, the POST method was used, but a GET method disguised as being for visiting Google was used to transmit the results of executing commands received from the C&C and any command execution failure messages.

Figure 9. Response packet with a command execution failure message

Sec-Fetch-ModeDetails
10 (0x0A)Initial connection
30 (0x1E)Command execution results
35 (0x23)Command execution failure message

Table 4. Format when sending the command execution results

When a connection to the C&C server is not established properly, auto-deletion is executed by using a batch file, which is similar to that of ordinary NukeSped backdoors. The batch file used for auto-deletion is created in the “%TEMP%uninst.bat” path.

Figure 10. Batch file used for auto-deletion

3. Conclusion

Along with the Kimsuky and Lazarus groups, the Andariel group is one of the threat groups that actively target South Korea. They attempted attacks to gain information related to national security in the early days but they now attempt attacks for financial gains as well. [8] (This report supports Korean only for now.) Although they mostly use spear phishing or watering hole attacks for initial infiltration, there are also cases where the group exploit vulnerabilities such as Log4Shell or TeamCity to install malware. Recently, there have been evidences of exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware.

Users should be cautious with the attachments of emails and executable files downloaded from unknown sources, and corporate security personnel should enhance asset management programs and apply patches if there are security vulnerabilities in the program. Users should also apply the latest patch for OS and programs such as internet browsers, and update V3 to the latest version to prevent such malware infection in advance.

File Detection
– Trojan/Win32.Dynamer.R162477 (2015.08.19.00)
– Trojan/Win64.CobaltStrike.R356638 (2020.11.26.05)
– Backdoor/Win.NukeSped.C5542399 (2023.11.16.01)
– Trojan/Win.Generic.C5483470 (2023.09.08.03)
– Trojan/Win.Generic.C5532844 (2023.10.28.01)
– Backdoor/Win.TigerRAT.C5517634 (2023.10.19.03)
– Trojan/CLASS.Agent (2023.11.03.00)
– Dropper/MSI.Agent (2023.11.17.03)

Behavior Detection
– Malware/MDP.Download.M1900
– Ransom/MDP.Command.M2255

IOC
MD5
– 7699ba4eab5837a4ad9d5d6bbedffc18: NukeSped (credisvc.exe)
– c2f8c9bb7df688d0a7030a96314bb493: TigerRat (load.exe, rang.exe)
– 478dcb54e0a610a160a079656b9582de: HelloKitty Installer
– 26ff72b0b85e764400724e442c164046: HelloKitty Ransomware
– 4eead95202e6a0e4936f681fd5579582: Java Downloader
– 160f7d2307bbc0e8a1b6ac03b8715e4f: Java Downloader
– 11ec319e9984a71d80df1302fe77332d: Downloader (agent_w.exe)
– dc9d60ce5b3d071942be126ed733bfb8: Downloader (agent_w.exe)
– beb219abe2ba5e9fd7d51a178ac2caca: Metasploit Meterpreter Stager
– c55eb07ef4c07e5ba63f7f0797dfd536: CobaltStrike Installer (Notification.msi)
– 31cbc75319ea60f45eb114c2faad21f9: CobaltStrike (Notification.exe)

C&C Server
– 27.102.114[.]215:8000: NukeSped
– 137.175.17[.]221:48084: Downloader
– 137.175.17[.]172:41334: Downloader
– 176.105.255[.]60:49407: Metasploit Meterpreter Stager
– hxxps://206.166.251[.]186/jquery-3.3.1.min.js: CobaltStrike

Download URLs
– hxxp://137.175.17[.]221:1443/ac.jar: Java Downloader
– hxxp://137.175.17[.]172:1443/ac3.jar: Java Downloader
– hxxp://137.175.17[.]221:1443/agent: Downloader (Linux)
– hxxp://137.175.17[.]221:1443/agent_w: Downloader (Windows)
– hxxp://137.175.17[.]172:1443/agent: Downloader (Linux)
– hxxp://137.175.17[.]172:1443/agent_w: Downloader (Windows)
– hxxp://176.105.255[.]60/Xdw0FFtpuYWSLrVcAei5zg: Metasploit Meterpreter Stager
– hxxp://168.100.9[.]154:9090/Notification.msi: CobaltStrike Installer

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Comments

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.