{ "name": "Malware Targets Message Queuing Services Applications", "slug": "malware-targets-message-queuing-services-applications", "description": "The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs lateral movement, and communicates through an IRC command-and-control server. The malware can be used for cryptocurrency mining and launching distributed denial-of-service attacks. The report also analyzes the prevalence of vulnerable RocketMQ instances worldwide and provides recommendations for securing cloud-native environments.", "published": "2024-06-06T16:44:26+00:00", "created_at": "2024-06-06T16:44:26+00:00", "modified_at": "2024-06-06T17:09:52+00:00", "created_at_opencti": "2024-06-06T16:44:26+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-06-06", "CVE-2023-33246", "apache", "cryptocurrency", "evasion", "irc", "lateral", "muhstik", "persistence", "rocketmq", "vulnerability" ], "related_entities": { "observables": [ { "id": "", "name": "91.200.43.22" }, { "id": "", "name": "94.224.82.40" }, { "id": "", "name": "89.36.76.42" }, { "id": "", "name": "91.148.224.34" }, { "id": "", "name": "89.36.76.38" }, { "id": "", "name": "54.36.49.151" }, { "id": "", "name": "51.79.19.53" }, { "id": "", "name": "194.59.165.52" }, { "id": "", "name": "161.35.219.184" }, { "id": "", "name": "139.180.185.248" }, { "id": "", "name": "139.159.192.50" }, { "id": "", "name": "138.197.78.18" }, { "id": "", "name": "p.findmeatthe.top" }, { "id": "", "name": "p.deutschland-zahlung.eu" }, { "id": "", "name": "p.de-zahlung.eu" }, { "id": "", "name": "a7bf3c031ab66265ce724fc26c8f7565442a098b06b01ea8871f13179d168713" }, { "id": "", "name": "1f9cda58cea6c8dd07879df3e985499b18523747482e8f7acd6b4b3a82116957" }, { "id": "", "name": "176c57e3fa7da2fb2afcd18242b79e5881c2244f5ab836897d4846885f1bd993" }, { "id": "", "name": "9e28f942262805b5fb59f46568fed53fd4b7dbf6faf666bedaf6ff22dd416572" }, { "id": "", "name": "86947b00a3d61b82b6f752876404953ff3c39952f2b261988baf63fbbbd6d6ae" }, { "id": "", "name": "6730eb04edf45d590939d7ba36ca0d4f1d2f28a2692151e3c631e9f2d3612893" } ], "malware": [ { "id": "legacy:malware:c6350d87d1a45702", "name": "Muhstik", "slug": "muhstik" } ], "attack_patterns": [ { "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2", "name": "T1567" }, { "id": "fe6f2946-a01e-460c-9636-8c48b45dd0e6", "name": "T1189" }, { "id": "8598a502-2b24-4c8a-8ec3-45179f49e5b7", "name": "T1199" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "af9ed2e3-4663-4723-beab-c606ddc312e0", "name": "T1543" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "29f7ff93-033b-4f8d-8691-5bcaa438c80f", "name": "T1592" }, { "id": "358e04b8-6f65-48b2-a24b-f101bfc6671a", "name": "T1195" }, { "id": "fcd96dc0-500e-4354-bd97-5c65718a9004", "name": "T1562" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "vulnerabilities": [ { "id": "", "name": "CVE-2023-33246" } ] }, "external_refs": [ "https://www.aquasec.com/blog/muhstik-malware-targets-message-queuing-services-applications/", "https://otx.alienvault.com/pulse/6662038a011ff863c55d507d" ] }