While monitoring recent attacks by the Andariel threat group, AhnLab Security Emergency response Center (ASEC) has discovered the attack case in which the group is assumed to be exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware.
The Andariel threat group usually targets South Korean companies and institutions, and the group is known to be either in a cooperative relationship of the Lazarus threat group, or a subsidiary group of Lazarus. Their attacks against South Korea were first identified in 2008, and their main targets include national defense, political organizations, shipbuilding, energy, and telecommunications. South Korean companies and institutions besides these that were targeted include universities, logistics, and ICT companies. [1] (This link is only available in Korean.)
The Andariel threat group has been employing spear phishing, watering hole, and supply chain attacks from the past [2]. Recently, cases have been identified where the group exploits a Log4Shell vulnerability [3], target poorly managed MS-SQL servers, or abuse legitimate software. [4]
There are no direct logs as of now, but it is assumed that the Andariel group is exploiting a remote code execution vulnerability in Apache ActiveMQ servers to install NukeSped and TigerRat backdoors. This post will provide a summary on the cases of attacks against Apache ActiveMQ servers, and the grounds on which the Andariel group is suspected of abusing these in attacks.
1. Cases of Attacks Exploiting Apache ActiveMQ Vulnerability
CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ, an open-source messaging and integration pattern server. If an unpatched Apache ActiveMQ server is exposed externally, the threat actor can execute malicious commands remotely and take control over the system.
Various threat actors have been exploiting this to install malware after information on this vulnerability was revealed. One major example is the case of HelloKitty ransomware attacks covered by Rapid7. [5] This case was also discovered in the AhnLab Smart Defense (ASD) logs, which means that systems in South Korea are also becoming targets of the CVE-2023-46604 vulnerability attacks.
Figure 1. Logs of attempting to install HelloKitty ransomware
While monitoring attacks by the Andariel group, ASEC found NukeSped, a backdoor that the Andariel group has been using from the past, being installed in a certain system. Investigations revealed that Apache ActiveMQ server was installed in this system, and it was confirmed that there were various attack logs from late October when information on the CVE-2023-46604 vulnerability was released, including those involving the HelloKitty ransomware.
Figure 2. Various attack logs found in the infected system
The threat actor used the following malicious Java class file during the vulnerability attack process. This malware ultimately downloads and installs an additional payload in Windows or Linux environments. This malware also appeared in a case in a recent report by Huntress. [6]
Figure 3. Malicious Java class file that acts as a downloader
Aside from these known attacks, CobaltStrike and Metasploit Meterpreter’s Stager installation logs were also found. Based on these evidences, it can be assumed that although it has not been long since information regarding the CVE-2023-46604 vulnerability was revealed, unpatched systems are becoming targets of numerous attacks in such a short time period.
Figure 4. Metasploit Meterpreter’s Stager installation log
Figure 5. CobaltStrike Beacon configuration data by CobaltStrikeParser [7]
2.1. Circumstances of an Attack Exploiting CVE-2023-46604 Vulnerability
While analyzing systems in which various Apache ActiveMQ were attacked, a system with the Nukesped backdoor used by the Andariel group was found. Although there were no direct logs showing that NukeSped was installed through exploitation of the CVE-2023-46604 vulnerability, there is a possibility that the Andariel group exploited CVE-2023-46604 vulnerability for the attack, considering that no other attacks were confirmed except for the exploiting one and that the malware installation log was confirmed while the attack was ongoing.
The analyzed system had repeatedly became a target of attacks since late October when the first attack which exploited the CVE-2023-46604 vulnerability was discovered. In particular, seeing that HelloKitty ransomware, mentioned in the Rapid7 report, and that a downloader mentioned in a Huntress report were detected together, it is deemed to be a vulnerable Apache ActiveMQ server. While no specific malware was mentioned in the Huntress report, a case was covered where a malicious payload was installed from the URL “hxxp://27.102.128[.]152:8098/bit[.]ico” through exploitation of the CVE-2023-46604 vulnerability.
This address, covered in a past Blog post, corresponds to the URL where TigerRat was downloaded from. It is also the address where the “oracle” malware in the following log was downloaded from, as well as being the C&C server URL. While the malware files were not collected, TigerRat was installed under the names “rang.exe” and “load.exe”.
Figure 6. URL used to install TigerRat
Of course, the Andariel group often used disclosed vulnerabilities such as the Log4Shell and TeamCity vulnerabilities [8] in its attacks in the past.
2.2. NukeSped Backdoor
NukeSped is a backdoor that can control the infected system through commands received from the C&C server. This is usually used by the Lazarus and Andariel groups to control infected systems. The NukeSped used in the attacks is similar to “NukeSped Variant – Type 1” covered in the past Blog post, “Circumstances of an Attack Exploiting an Asset Management Program (Andariel Group)”.
The NukeSped version used in the recent attacks only support three commands: downloading files, executing commands, and terminating running processes. Although the NukeSped in previous attack cases supported a much wider range of commands, aside from this, most features are the same.
Like typical NukeSped types, all the API addresses and strings to be used are encrypted, then decrypted and used at runtime. The encryption method is a 1-byte XOR algorithm with the key value 0xA1. Besides 0xA1, in past attack cases, key values 0x97 and 0xAB were also used.
Figure 7. XOR-encrypted string using the 0xA1 key
When NukeSped first connects to the C2, it sends a HTTP request in the following format.
Figure 8. Packet upon the first connection to the C&C server
| HTTP Request Header | Value | Description |
| Sec-Fetch-Mode | 10 (0x0A) | Initial connection |
| Sec-Fetch-User | S-[Computer Name] | Computer name of the infected system |
| Sec-Fetch-Dest | 01 | Initial connection |
Table 1. Format upon the first connection to the C&C server
Afterwards, an HTTP response is received from the C&C server, and each of the strings in the following table are checked. If any string exists in the response, the value of “Sec-Fetch-Mode:” is recognized as a command and subsequent routines are executed.
| HTTP Response Header | Description |
| “HTTP/1.1 200 OK Content-Type: text/html ” |
Default response format |
| “Sec-Fetch-Mode:” | Command |
| “Content-Length:” | Command length |
Table 2. Format of commands received from the C&C server
The following three commands are supported. The only actual available actions are downloading files from the C&C server, executing commands received from the C&C, and returning their results.
| Command | Feature |
| 30 (0x1E) | Downloading files |
| 33 (0x21) | Executing commands and returning their results |
| 34 (0x22) | Terminating running processes |
Table 3. Commands supported by NukeSped
During the initial communication with the C&C server, the POST method was used, but a GET method disguised as being for visiting Google was used to transmit the results of executing commands received from the C&C and any command execution failure messages.
Figure 9. Response packet with a command execution failure message
| Sec-Fetch-Mode | Details |
| 10 (0x0A) | Initial connection |
| 30 (0x1E) | Command execution results |
| 35 (0x23) | Command execution failure message |
Table 4. Format when sending the command execution results
When a connection to the C&C server is not established properly, auto-deletion is executed by using a batch file, which is similar to that of ordinary NukeSped backdoors. The batch file used for auto-deletion is created in the “%TEMP%uninst.bat” path.
Figure 10. Batch file used for auto-deletion
3. Conclusion
Along with the Kimsuky and Lazarus groups, the Andariel group is one of the threat groups that actively target South Korea. They attempted attacks to gain information related to national security in the early days but they now attempt attacks for financial gains as well. [8] (This report supports Korean only for now.) Although they mostly use spear phishing or watering hole attacks for initial infiltration, there are also cases where the group exploit vulnerabilities such as Log4Shell or TeamCity to install malware. Recently, there have been evidences of exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware.
Users should be cautious with the attachments of emails and executable files downloaded from unknown sources, and corporate security personnel should enhance asset management programs and apply patches if there are security vulnerabilities in the program. Users should also apply the latest patch for OS and programs such as internet browsers, and update V3 to the latest version to prevent such malware infection in advance.
File Detection
– Trojan/Win32.Dynamer.R162477 (2015.08.19.00)
– Trojan/Win64.CobaltStrike.R356638 (2020.11.26.05)
– Backdoor/Win.NukeSped.C5542399 (2023.11.16.01)
– Trojan/Win.Generic.C5483470 (2023.09.08.03)
– Trojan/Win.Generic.C5532844 (2023.10.28.01)
– Backdoor/Win.TigerRAT.C5517634 (2023.10.19.03)
– Trojan/CLASS.Agent (2023.11.03.00)
– Dropper/MSI.Agent (2023.11.17.03)
Behavior Detection
– Malware/MDP.Download.M1900
– Ransom/MDP.Command.M2255
IOC
MD5
– 7699ba4eab5837a4ad9d5d6bbedffc18: NukeSped (credisvc.exe)
– c2f8c9bb7df688d0a7030a96314bb493: TigerRat (load.exe, rang.exe)
– 478dcb54e0a610a160a079656b9582de: HelloKitty Installer
– 26ff72b0b85e764400724e442c164046: HelloKitty Ransomware
– 4eead95202e6a0e4936f681fd5579582: Java Downloader
– 160f7d2307bbc0e8a1b6ac03b8715e4f: Java Downloader
– 11ec319e9984a71d80df1302fe77332d: Downloader (agent_w.exe)
– dc9d60ce5b3d071942be126ed733bfb8: Downloader (agent_w.exe)
– beb219abe2ba5e9fd7d51a178ac2caca: Metasploit Meterpreter Stager
– c55eb07ef4c07e5ba63f7f0797dfd536: CobaltStrike Installer (Notification.msi)
– 31cbc75319ea60f45eb114c2faad21f9: CobaltStrike (Notification.exe)
C&C Server
– 27.102.114[.]215:8000: NukeSped
– 137.175.17[.]221:48084: Downloader
– 137.175.17[.]172:41334: Downloader
– 176.105.255[.]60:49407: Metasploit Meterpreter Stager
– hxxps://206.166.251[.]186/jquery-3.3.1.min.js: CobaltStrike
Download URLs
– hxxp://137.175.17[.]221:1443/ac.jar: Java Downloader
– hxxp://137.175.17[.]172:1443/ac3.jar: Java Downloader
– hxxp://137.175.17[.]221:1443/agent: Downloader (Linux)
– hxxp://137.175.17[.]221:1443/agent_w: Downloader (Windows)
– hxxp://137.175.17[.]172:1443/agent: Downloader (Linux)
– hxxp://137.175.17[.]172:1443/agent_w: Downloader (Windows)
– hxxp://176.105.255[.]60/Xdw0FFtpuYWSLrVcAei5zg: Metasploit Meterpreter Stager
– hxxp://168.100.9[.]154:9090/Notification.msi: CobaltStrike Installer
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604) appeared first on ASEC BLOG.
Article Link: Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604) - ASEC BLOG