Thursday, January 23, 2025
HomeCVE/vulnerabilityMauri Ransomware Leverages Apache ActiveMQ Vulnerability to Deploy CoinMiners

Mauri Ransomware Leverages Apache ActiveMQ Vulnerability to Deploy CoinMiners

Published on

SIEM as a Service

Follow Us on Google News

The Apache ActiveMQ server is vulnerable to remote code execution (CVE-2023-46604), where attackers can exploit this vulnerability by manipulating serialized class types in the OpenWire protocol to load malicious class configurations from external sources. 

Successful exploitation allows attackers to execute arbitrary code on the vulnerable server, leading to potential system compromise, which has been actively exploited by various threat actors, including Andariel, HelloKitty, and Cobalt Strike, highlighting the critical need for prompt patching.

CoinMiner attackers exploited a vulnerability in Apache ActiveMQ servers to install Frpc malware, which allowed threat actors to execute commands remotely, potentially leading to further compromises.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The attack involved downloading and executing malicious XML configuration files from a remote server, which were then loaded by the vulnerable ActiveMQ process. 

Malware within the download server

The attacker leverages an ActiveMQ vulnerability to execute commands that add a backdoor account named “adminCaloX1” with administrative privileges and enable remote desktop access (RDP). 

They utilize a combination of PowerShell cmdlets and the open-source tool “CreateHiddenAccount” to achieve this, which likely originates from a Chinese source, further suggesting the attacker’s potential background. 

It is possible that the attacker is attempting to facilitate RDP access within a private network with the download and execution of Frpc. 

Batch script for registering a hidden account

Quasar RAT, a .NET-based open-source RAT, provides comprehensive remote access capabilities by enabling threat actors to execute commands, manipulate files and registry entries, and steal sensitive information through keylogging and account harvesting. 

It also facilitates real-time system control via remote desktop, as this specific instance of Quasar RAT leverages a C&C server located at 18.139.156[.]111:4782, suggesting a dual-pronged attack approach combining remote desktop control and stealthy RAT operations.

Threat actor’s Frpc configuration file

The threat actor leveraged the ActiveMQ vulnerability to deploy Frpc, a reverse proxy tool, onto compromised systems, which was facilitated by a PowerShell command. 

The primary objective of Frpc is to establish a connection between a specific port on the infected system (port 3389 in this case) and an external relay server, which likely another compromised system located in Korea, allows the threat actor to remotely access the infected system via RDP, bypassing potential network restrictions.

According to ASEC, Mauri ransomware, an open-source tool, is being weaponized by threat actors. Despite being initially intended for research, its public availability has enabled malicious use. 

Ransom note generated after encryption

The ransomware encrypts various file extensions using AES-256 CTR and demands a ransom in USDT. While the current C&C server is localhost, indicating potential testing, the modified configuration suggests active exploitation. 

Apache ActiveMQ versions 5.18.0-5.18.2, 5.17.0-5.17.5, 5.16.0-5.16.6, 5.15.15 and earlier, and Legacy OpenWire Module versions 5.18.0-5.18.2, 5.17.0-5.17.5, 5.16.0-5.16.6, and 5.8.0-5.15.15 are vulnerable to attacks. 

Threat actors exploit these vulnerabilities to install CoinMiners, malware, or ransomware. To mitigate risks, system administrators must update to the latest versions, implement firewalls, and update V3 to the latest version to prevent malware infections.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

CYFIRMA's Research and Advisory team has identified a new strain of ransomware labeled "Nnice,"...