Friday, June 14, 2024

NukeSped Malware Exploiting Apache ActiveMQ Vulnerability

The Andariel threat group has been discovered installing malware via the exploitation of the Apache ActiveMQ remote code execution vulnerability classified as CVE-2023-46604.

The group is known to be either a subsidiary of Lazarus or in an active partnership with the Lazarus threat group. It primarily targets South Korean institutions and enterprises, which were initially detected in 2008.

Their primary targets are national defense, political groups, shipbuilding, energy, telecommunications, ICT firms, universities, and logistics firms.

Andariel Group Exploiting Apache ActiveMQ Vulnerability 

A remote code execution vulnerability in Apache ActiveMQ, an open-source messaging and integration pattern server, is identified as CVE-2023-46604.

A threat actor can remotely execute malicious commands and take over a system if an unpatched Apache ActiveMQ server is exposed externally.

Free Webinar

Live API Attack Simulation Webinar

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked. The session will cover: an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

“The Andariel group is exploiting a remote code execution vulnerability in Apache ActiveMQ servers to install NukeSped and TigerRat backdoors,” AhnLab Security Emergency Response Center (ASEC) said in a report shared with Cyber Security News.

NukeSped, a backdoor that the group has previously used, is found to be installed in a certain system. The malware can take control of the infected system by sending commands to the C&C server. The Lazarus and Andariel groups typically use this to take control of compromised systems.

Only three commands are supported by the NukeSped version that was utilized in the most recent attacks: downloading files, executing commands, and terminating running processes.

Commands supported by NukeSped malware

“During the initial communication with the C&C server, the POST method was used, but a GET method disguised as being for visiting Google was used to transmit the results of executing commands received from the C&C and any command execution failure messages,” researchers said.

Similar to normal NukeSped backdoors, auto-deletion is carried out via a batch file when an improper connection to the C&C server is made.

In addition to these well-known attacks, the Stager installation logs for CobaltStrike and Metasploit Meterpreter were discovered. 

Because of this, researchers claim that even though the CVE-2023-46604 vulnerability has only recently come to light, unpatched systems are already the focus of multiple attacks in a short amount of time.


Users must be cautious when opening email attachments and downloading executable files from unidentified sources. Corporate security staff should improve asset management software and install updates if any security holes exist.

For added protection against malware infections, users should upgrade V3 to the most recent version and apply the most recent patches for their operating systems and applications, including web browsers.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles