Summary:
The article discusses ongoing attacks exploiting the CVE-2023-46604 vulnerability in Apache ActiveMQ, primarily targeting unpatched systems to install CoinMiners and Mauri ransomware. Threat actors utilize various tools and techniques to gain unauthorized access and control over compromised systems, emphasizing the need for timely security updates.
#ApacheActiveMQ #MauriRansomware #CoinMiner
The article discusses ongoing attacks exploiting the CVE-2023-46604 vulnerability in Apache ActiveMQ, primarily targeting unpatched systems to install CoinMiners and Mauri ransomware. Threat actors utilize various tools and techniques to gain unauthorized access and control over compromised systems, emphasizing the need for timely security updates.
#ApacheActiveMQ #MauriRansomware #CoinMiner
Keypoints:
Apache ActiveMQ vulnerability (CVE-2023-46604) allows remote code execution on unpatched servers.
Threat actors exploit this vulnerability to install CoinMiners and Mauri ransomware.
Attackers use tools like Ladon, Netcat, AnyDesk, and z0Miner in their operations.
Frpc is installed to facilitate remote access through RDP.
Backdoor accounts are created to maintain persistent access to compromised systems.
Quasar RAT is utilized for remote control and data theft from infected systems.
System administrators are urged to apply security patches to vulnerable Apache ActiveMQ versions.
MITRE Techniques
Remote Code Execution (T1203): Exploits CVE-2023-46604 to execute malicious commands on vulnerable Apache ActiveMQ servers.
Credential Dumping (T1003): Uses backdoor accounts to gain unauthorized access to systems.
Remote Access Tools (T1219): Deploys Quasar RAT for remote control and data exfiltration.
Exploitation of Remote Services (T1210): Utilizes the Apache ActiveMQ vulnerability for initial access.
Command and Control (T1071): Establishes communication channels using Frpc to relay access to compromised systems.
IoC:
[url] hxxp://18[.]139[.]156[.]111:83/pocw.xml
[ip address] 18.139.156.111
[file name] user.zip
[file name] CreateHiddenAccount_v0.2.exe
[file name] user.bat
[file name] Google.zip
[file name] a.exe
[file name] brave.exe
[file name] c.ini
[file name] chrome.exe
[email] telegram hxxps://t[.]me/calojohn666
[tool name] Quasar RAT
[tool name] CreateHiddenAccount
[tool name] Frpc
[file hash] 07894bc946bd742cec694562e730bac8
[file hash] 25b1c94cf09076eb8ce590ee2f7f108e
[file hash] 2c93a213f08a9f31af0c7fc4566a0e56
[file hash] 2e8a3baeaa0fc85ed787a3c7dfd462e7
[file hash] 3b56e1881d8708c48150978da14da91e
[coin wallet address] TQaaRDVYiAuQ6XiULvEjtvKQ2S2ickuqJF
Full Research: https://asec.ahnlab.com/en/85000/