Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Malware Targets Message Queuing Services Applications

June 6, 2024, 7:09 p.m.

Description

The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs lateral movement, and communicates through an IRC command-and-control server. The malware can be used for cryptocurrency mining and launching distributed denial-of-service attacks. The report also analyzes the prevalence of vulnerable RocketMQ instances worldwide and provides recommendations for securing cloud-native environments.

Date

Published: June 6, 2024, 6:44 p.m.

Created: June 6, 2024, 6:44 p.m.

Modified: June 6, 2024, 7:09 p.m.

Indicators

a7bf3c031ab66265ce724fc26c8f7565442a098b06b01ea8871f13179d168713

1f9cda58cea6c8dd07879df3e985499b18523747482e8f7acd6b4b3a82116957

176c57e3fa7da2fb2afcd18242b79e5881c2244f5ab836897d4846885f1bd993

9e28f942262805b5fb59f46568fed53fd4b7dbf6faf666bedaf6ff22dd416572

86947b00a3d61b82b6f752876404953ff3c39952f2b261988baf63fbbbd6d6ae

6730eb04edf45d590939d7ba36ca0d4f1d2f28a2692151e3c631e9f2d3612893

91.200.43.22

94.224.82.40

89.36.76.42

91.148.224.34

89.36.76.38

54.36.49.151

51.79.19.53

194.59.165.52

161.35.219.184

139.180.185.248

139.159.192.50

138.197.78.18

p.findmeatthe.top

p.deutschland-zahlung.eu

p.de-zahlung.eu

Attack Patterns

Muhstik

T1567

T1189

T1199

T1105

T1071

T1543

T1055

T1036

T1592

T1195

T1562

T1190

T1059

CVE-2023-33246