Malware Targets Message Queuing Services Applications
June 6, 2024, 7:09 p.m.
Description
The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs lateral movement, and communicates through an IRC command-and-control server. The malware can be used for cryptocurrency mining and launching distributed denial-of-service attacks. The report also analyzes the prevalence of vulnerable RocketMQ instances worldwide and provides recommendations for securing cloud-native environments.
Tags
Date
- Created: June 6, 2024, 6:44 p.m.
- Published: June 6, 2024, 6:44 p.m.
- Modified: June 6, 2024, 7:09 p.m.
Indicators
- a7bf3c031ab66265ce724fc26c8f7565442a098b06b01ea8871f13179d168713
- 1f9cda58cea6c8dd07879df3e985499b18523747482e8f7acd6b4b3a82116957
- 176c57e3fa7da2fb2afcd18242b79e5881c2244f5ab836897d4846885f1bd993
- 9e28f942262805b5fb59f46568fed53fd4b7dbf6faf666bedaf6ff22dd416572
- 86947b00a3d61b82b6f752876404953ff3c39952f2b261988baf63fbbbd6d6ae
- 6730eb04edf45d590939d7ba36ca0d4f1d2f28a2692151e3c631e9f2d3612893
- 91.200.43.22
- 94.224.82.40
- 89.36.76.42
- 91.148.224.34
- 89.36.76.38
- 54.36.49.151
- 51.79.19.53
- 194.59.165.52
- 161.35.219.184
- 139.180.185.248
- 139.159.192.50
- 138.197.78.18
- p.findmeatthe.top
- p.deutschland-zahlung.eu
- p.de-zahlung.eu
Attack Patterns
- Muhstik
- T1567
- T1189
- T1199
- T1105
- T1071
- T1543
- T1055
- T1036
- T1592
- T1195
- T1562
- T1190
- T1059