Mauri Ransomware Threat Actors Exploiting Apache ActiveMQ Vulnerability (CVE-2023-46604)
AhnLab SEcurity intelligence Response Center (ASEC) has covered the attack cases targeting CVE-2023-46604 vulnerability in past blog posts. Systems without vulnerability patch are still being targeted, cases show that their intention is to mainly install CoinMiners. Recently, threat actors using Mauri ransomware have been found exploiting the Apache ActiveMQ vulnerability to attack Korean systems.
1. Apache ActiveMQ Vulnerability (CVE-2023-46604)
CVE-2023-46604 is a remote code execution vulnerability in the Apache ActiveMQ server, an open-source messaging and integrated pattern server. If an unpatched Apache ActiveMQ server is exposed externally, the threat actor can execute malicious commands remotely and dominate the target system.
Vulnerability attacks are carried out by making an instance out of the class in classpath by manipulating the serialized class type in the OpenWire protocol. When the threat actor sends the modified packet, the vulnerable server references the path (URL) in the packet to load the class XML configuration file.
- AhnLab TIP: Apache ActiveMQ Security Update Advisory (CVE-2023-46604) [1]
The vulnerability began to be exploited shortly after its disclosure, with attack cases involving the Andariel group, HelloKitty ransomware [2], and Cobalt Strike observed in systems within Korea. Additionally, unpatched systems have been continuously targeted, with tools such as Ladon, Netcat, AnyDesk, and z0Miner. [3]
2. Initial Access
The targeted systems had Apache ActiveMQ servers installed, and logs show continuous attempts by CoinMiner attackers to install malware. Mauri ransomware threat actors are suspected of exploiting the vulnerability, resulting in Frpc being installed by the vulnerable ActiveMQ process.
Figure 1. Frpc installed by an ActiveMQ process
Upon examining the server where the malware was downloaded, various malware, legitimate tools, and class XML configuration files were found. A vulnerable Apache ActiveMQ’s Java process references the modified packet received and loads the XML configuration file located in the “hxxp://18.139.156[.]111:83/pocw.xml” path. It then executes the specified commands by referencing the loaded XML configuration file.
Figure 2. Malware within the download server
3. Remote Control
3.1. Backdoor Account
The XML files appear to be used sequentially by the threat actor, with the first type adding a backdoor account named “adminCaloX1” and executing commands to register it as an admin account and enable RDP access. There are also commands to download and execute Frpc and configuration files to enable RDP access to systems within a private network.
Figure 3. Class XML configuration files used in attacks
| List of commands |
|---|
| > powershell user adminCalox Calox@2580 /add > net user adminCaloX1 CaloX@2580 /add > net localgroup Administrators adminCaloX1 /add > net user adminCaloX CaloX@2580 > net user Hell0$ /active:yes > net user admin /delete > shutdown /r /t 0 > net localgroup “Remote Desktop Users” “adminCaloX1” /add |
Table 1. Backdoor account registration commands used in attacks
Adding a backdoor account can be done through direct command execution exploiting the ActiveMQ vulnerability, but it also uses the open-source tool CreateHiddenAccount. On the download server [4], there is a “user.zip” archive file uploaded, containing “CreateHiddenAccount_v0.2.exe” and a batch script named “user.bat.”
The batch script is responsible for using CreateHiddenAccount to add and hide the “Hell0$” account. CreateHiddenAccount tool, developed by a Chinese speaking user, was used, and the download server contains Huorong security software installation files, suggesting there is a possibility that the attacker is a Chinese speaker.
Figure 4. Batch script for registering a hidden account
3.2. Backdoor Malware
Quasar RAT is an open-source RAT malware developed with .NET. Like most other RAT malware, it provides system tasks like process, file, and registry, and features such as remote command execution and the ability to download and upload files. In addition, Quasar RAT provides keylogging and account information collection features to allow the theft of information from user environments, and enable real-time control over infected systems through remote desktop.
The threat actor’s download server also hosts Quasar RAT, and since the C&C server shares the same address as the download server, it appears that Quasar RAT is used in addition to remote control using RDP.
| Settings | Data |
|---|---|
| TAG | Office04 |
| Version | 1.3.0.0 |
| C&C Servers | 18.139.156[.]111:4782 |
| Mutex | QSR_MUTEX_i32rDtGISkwcqkhvjj |
Table 2. Configuration data of Quasar RAT
4. Proxy
The threat actor exploited the ActiveMQ vulnerability to install Frpc and configuration files using a PowerShell command. FRP (Fast Reverse Proxy) is an open-source tool developed in Go language that can operate as a reverse proxy to expose systems located behind NAT or firewalls to the outside. FRP is divided into Frpc and Frps, with Frpc being the tool installed on infected systems to connect the port of the service to be exposed with an external relay.
The configuration data ultimately serves to relay the 3389 port of the infected system to the threat actor. This is intended to allow the threat actor to connect to the RDP service in case the infected system is within a private network, and it is assumed that it will use the backdoor accounts discussed earlier to access the infected system via RDP. Notably, the address that Frpc connects to is another system within Korea, suggesting that the threat actor has already compromised this system and installed Frps.
Figure 5. Threat actor’s Frpc configuration file
5. Mauri Ransomware
Although actual attack cases have not yet been confirmed, Mauri ransomware has been uploaded to the download server. Mauri ransomware is ransomware developed by a developer named “mauri870” for research purposes. [5] This source code also includes an explanation that MauriCrypt is detecting whether it is frequently being used by threat actors. Since the source code is publicly available, it is frequently exploited by other threat actors. In the past, the Mimo used Mauri ransomware under the name Mimus in attacks. [6]
Figure 6. Mauri ransomware’s GitHub page
| Settings | Description |
|---|---|
| Encryption algorithm | AES-256 CTR |
| Encryption extension | .locked |
| Ransom note name | “READ_TO_DECRYPT.html”, “FILES_ENCRYPTED.html” |
| Paths excluded from encryption | “DocumentsFavorites”, “Pictures”, “Videos”, “Music”, “Favorites”, “Windows”, “bootmgr”, “$WINDOWS.~BT”, “Windows.old”, “Temp”, “tmp”, “Program Files”, “Program Files (x86)” |
| Encrypted extensions | “.zip”, “.exe”, “.sxi”, “.sti”, “.sldx”, “.sldm”, “.tar”, “.tgz”, “.gz”, “.7z”, “.rar”, “.m4u”, “.mkv”, “.sh”, “.class”, “.jar”, “.rb”, “.asp”, “.jsp”, “.ps1”, “.cmd”, “.h”, “.pas”, “.cpp”, “.cs”, “.suo”, “.sln”, “.der”, “.ips”, “.dll”, “.config”, “.lic”, “.dat”, “.xml”, “.ldb”, “.key”, “.vbs”, “.bump”, “.bat”, “.DBF”, “.json”, “.doc”, “.docx”, “.msg”, “.odtpas”, “.wpd”, “.wps”, “.txt”, “.csv”, “.pps”, “.ppt”, “.pptx”, “.aif”, “.iif”, “.m3u”, “.m4a”, “.mid”, “.mp3”, “.mpa”, “.wav”, “.wma”, “.3gp”, “.3g2”, “.avi”, “.flv”, “.m4v”, “.mov”, “.mp4”, “.mpg”, “.vob”, “.wmv”, “.3dm”, “.3ds”, “.max”, “.obj”, “.blend”, “.bmp”, “.gif”, “.png”, “.jpeg”, “.jpg”, “.psd”, “.tif”, “.gif”, “.ico”, “.ai”, “.eps”, “.ps”, “.svg”, “.pdf”, “.indd”, “.pct”, “.epub”, “.xls”, “.xlr”, “.xlsx”, “.accdb”, “.sqlite”, “.dbf”, “.mdb”, “.pdb”, “.sql”, “.db”, “.sdb”, “.dem”, “.gam”, “.nes”, “.rom”, “.sav”, “.bkp”, “.bak”, “.tmp”, “.cfg”, “.conf”, “.ini”, “.prf”, “.html”, “.php”, “.js”, “.c”, “.cc”, “.py”, “.lua”, “.go”, “.java” |
| C&C URL | hxxp://localhost:8080 |
| Threat actor’s email | telegram hxxps://t[.]me/calojohn666 |
| Coin wallet address | TQaaRDVYiAuQ6XiULvEjtvKQ2S2ickuqJF (usdt-trc20) |
Table 3. Mauri ransomware configuration created by the threat actor
Although another proxy tool might have been used, the C&C server’s address being Localhost and the presence of Mauri’s server program on the download server suggest that it might still be for testing purposes. However, considering that several configuration data, such as wallet addresses, Telegram addresses, and encryption settings, have already been altered by the threat actor, it cannot be ruled out that the ransomware is currently being used in attacks.
Figure 7. Ransom note generated after encryption
6. Conclusion
Threat actors are continuously launching attacks against unpatched, vulnerable Apache ActiveMQ services. Out of such identified attacks, there were cases where CoinMiners were installed to mine cryptocurrencies, as well as many cases where malware strains were used to control the infected system. After compromising the infected system, threat actors can steal data or install ransomware.
System administrators must check if their current Apache ActiveMQ service is one of the susceptible versions below and apply the latest patches to prevent attacks that exploit known vulnerabilities.
Apache ActiveMQ versions 5.18.0 – 5.18.2
Apache ActiveMQ versions 5.17.0 – 5.17.5
Apache ActiveMQ versions 5.16.0 – 5.16.6
Apache ActiveMQ versions 5.15.15 or earlier
Apache ActiveMQ Legacy OpenWire Module versions 5.18.0 – 5.18.2
Apache ActiveMQ Legacy OpenWire Module versions 5.17.0 – 5.17.5
Apache ActiveMQ Legacy OpenWire Module versions 5.16.0 – 5.16.6
Apache ActiveMQ Legacy OpenWire Module versions 5.8.0 – 5.15.15
System administrators should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers. Lastly, caution must be practiced, updating V3 to the latest version to block malware infection in advance.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
