Sunday, February 9, 2025
HomeCVE/vulnerabilityNukeSped Malware Exploiting Apache ActiveMQ Vulnerability

NukeSped Malware Exploiting Apache ActiveMQ Vulnerability

Published on

SIEM as a Service

Follow Us on Google News

The Andariel threat group has been discovered installing malware via the exploitation of the Apache ActiveMQ remote code execution vulnerability classified as CVE-2023-46604.

The group is known to be either a subsidiary of Lazarus or in an active partnership with the Lazarus threat group. It primarily targets South Korean institutions and enterprises, which were initially detected in 2008.

Their primary targets are national defense, political groups, shipbuilding, energy, telecommunications, ICT firms, universities, and logistics firms.

Andariel Group Exploiting Apache ActiveMQ Vulnerability 

A remote code execution vulnerability in Apache ActiveMQ, an open-source messaging and integration pattern server, is identified as CVE-2023-46604.

A threat actor can remotely execute malicious commands and take over a system if an unpatched Apache ActiveMQ server is exposed externally.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

“The Andariel group is exploiting a remote code execution vulnerability in Apache ActiveMQ servers to install NukeSped and TigerRat backdoors,” AhnLab Security Emergency Response Center (ASEC) said in a report shared with Cyber Security News.

NukeSped, a backdoor that the group has previously used, is found to be installed in a certain system. The malware can take control of the infected system by sending commands to the C&C server. The Lazarus and Andariel groups typically use this to take control of compromised systems.

Only three commands are supported by the NukeSped version that was utilized in the most recent attacks: downloading files, executing commands, and terminating running processes.

Commands supported by NukeSped malware

“During the initial communication with the C&C server, the POST method was used, but a GET method disguised as being for visiting Google was used to transmit the results of executing commands received from the C&C and any command execution failure messages,” researchers said.

Similar to normal NukeSped backdoors, auto-deletion is carried out via a batch file when an improper connection to the C&C server is made.

In addition to these well-known attacks, the Stager installation logs for CobaltStrike and Metasploit Meterpreter were discovered. 

Because of this, researchers claim that even though the CVE-2023-46604 vulnerability has only recently come to light, unpatched systems are already the focus of multiple attacks in a short amount of time.

Recommendation

Users must be cautious when opening email attachments and downloading executable files from unidentified sources. Corporate security staff should improve asset management software and install updates if any security holes exist.

For added protection against malware infections, users should upgrade V3 to the most recent version and apply the most recent patches for their operating systems and applications, including web browsers.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...