Friday, October 11, 2024
HomeCVE/vulnerabilityNukeSped Malware Exploiting Apache ActiveMQ Vulnerability

NukeSped Malware Exploiting Apache ActiveMQ Vulnerability

Published on

Malware protection

The Andariel threat group has been discovered installing malware via the exploitation of the Apache ActiveMQ remote code execution vulnerability classified as CVE-2023-46604.

The group is known to be either a subsidiary of Lazarus or in an active partnership with the Lazarus threat group. It primarily targets South Korean institutions and enterprises, which were initially detected in 2008.

Their primary targets are national defense, political groups, shipbuilding, energy, telecommunications, ICT firms, universities, and logistics firms.

- Advertisement - SIEM as a Service

Andariel Group Exploiting Apache ActiveMQ Vulnerability 

A remote code execution vulnerability in Apache ActiveMQ, an open-source messaging and integration pattern server, is identified as CVE-2023-46604.

A threat actor can remotely execute malicious commands and take over a system if an unpatched Apache ActiveMQ server is exposed externally.

Document
Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

“The Andariel group is exploiting a remote code execution vulnerability in Apache ActiveMQ servers to install NukeSped and TigerRat backdoors,” AhnLab Security Emergency Response Center (ASEC) said in a report shared with Cyber Security News.

NukeSped, a backdoor that the group has previously used, is found to be installed in a certain system. The malware can take control of the infected system by sending commands to the C&C server. The Lazarus and Andariel groups typically use this to take control of compromised systems.

Only three commands are supported by the NukeSped version that was utilized in the most recent attacks: downloading files, executing commands, and terminating running processes.

Commands supported by NukeSped malware

“During the initial communication with the C&C server, the POST method was used, but a GET method disguised as being for visiting Google was used to transmit the results of executing commands received from the C&C and any command execution failure messages,” researchers said.

Similar to normal NukeSped backdoors, auto-deletion is carried out via a batch file when an improper connection to the C&C server is made.

In addition to these well-known attacks, the Stager installation logs for CobaltStrike and Metasploit Meterpreter were discovered. 

Because of this, researchers claim that even though the CVE-2023-46604 vulnerability has only recently come to light, unpatched systems are already the focus of multiple attacks in a short amount of time.

Recommendation

Users must be cautious when opening email attachments and downloading executable files from unidentified sources. Corporate security staff should improve asset management software and install updates if any security holes exist.

For added protection against malware infections, users should upgrade V3 to the most recent version and apply the most recent patches for their operating systems and applications, including web browsers.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...