Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604) – ASEC BLOG

MITRE Techniques

• [T1190] Exploit Public-Facing Application – ‘CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ… If an unpatched Apache ActiveMQ server is exposed externally, the threat actor can execute malicious commands remotely and take control over the system.’
• [T1105] Ingress Tool Transfer – ‘The threat actor used the following malicious Java class file during the vulnerability attack process. This malware ultimately downloads and installs an additional payload in Windows or Linux environments.’
• [T1071.001] Web Protocols – ‘During the initial communication with the C&C server, the POST method was used, but a GET method disguised as being for visiting Google was used to transmit the results of executing commands received from the C&C and any command execution failure messages.’
• [T1027] Obfuscated/Compressed Files and Information – ‘The encryption method is a 1-byte XOR algorithm with the key value 0xA1. Besides 0xA1, in past attack cases, key values 0x97 and 0xAB were also used.’
• [T1059] Command and Scripting Interpreter – ‘The following three commands are supported. The only actual available actions are downloading files from the C&C server, executing commands received from the C&C, and returning their results.’
• [T1070.004] Indicator Removal on Host – ‘When a connection to the C&C server is not established properly, auto-deletion is executed by using a batch file, which is similar to that of ordinary NukeSped backdoors. The batch file used for auto-deletion is created in the “%TEMP%uninst.bat” path.’