Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)
Contents
While monitoring recent attacks by the Andariel threat group, AhnLab Security Emergency response Center (ASEC) has discovered the attack case in which the group is assumed to be exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware.
The Andariel threat group usually targets South Korean companies and institutions, and the group is known to be either in a cooperative relationship of the Lazarus threat group, or a subsidiary group of Lazarus. Their attacks against South Korea were first identified in 2008, and their main targets include national defense, political organizations, shipbuilding, energy, and telecommunications. South Korean companies and institutions besides these that were targeted include universities, logistics, and ICT companies. [1] (This link is only available in Korean.)
The Andariel threat group has been employing spear phishing, watering hole, and supply chain attacks from the past [2]. Recently, cases have been identified where the group exploits a Log4Shell vulnerability [3], …
The Andariel threat group usually targets South Korean companies and institutions, and the group is known to be either in a cooperative relationship of the Lazarus threat group, or a subsidiary group of Lazarus. Their attacks against South Korea were first identified in 2008, and their main targets include national defense, political organizations, shipbuilding, energy, and telecommunications. South Korean companies and institutions besides these that were targeted include universities, logistics, and ICT companies. [1] (This link is only available in Korean.)
The Andariel threat group has been employing spear phishing, watering hole, and supply chain attacks from the past [2]. Recently, cases have been identified where the group exploits a Log4Shell vulnerability [3], …
IoC
11ec319e9984a71d80df1302fe77332d
137.175.17.172
137.175.17.221
160f7d2307bbc0e8a1b6ac03b8715e4f
168.100.9.154
176.105.255.60
206.166.251.186
26ff72b0b85e764400724e442c164046
27.102.114.215
27.102.128.152
31cbc75319ea60f45eb114c2faad21f9
478dcb54e0a610a160a079656b9582de
4eead95202e6a0e4936f681fd5579582
7699ba4eab5837a4ad9d5d6bbedffc18
beb219abe2ba5e9fd7d51a178ac2caca
c2f8c9bb7df688d0a7030a96314bb493
c55eb07ef4c07e5ba63f7f0797dfd536
dc9d60ce5b3d071942be126ed733bfb8
http://137.175.17.172:1443/ac3.jar
http://137.175.17.172:1443/agent
http://137.175.17.172:1443/agent_w
http://137.175.17.172:41334
http://137.175.17.221:1443/ac.jar
http://137.175.17.221:1443/agent
http://137.175.17.221:1443/agent_w
http://137.175.17.221:48084
http://168.100.9.154:9090/Notification.msi
http://176.105.255.60/Xdw0FFtpuYWSLrVcAei5zg
http://176.105.255.60:49407
http://27.102.114.215:8000
http://27.102.128.152:8098/bit.ico
https://206.166.251.186/jquery-3.3.1.min.js
137.175.17.172
137.175.17.221
160f7d2307bbc0e8a1b6ac03b8715e4f
168.100.9.154
176.105.255.60
206.166.251.186
26ff72b0b85e764400724e442c164046
27.102.114.215
27.102.128.152
31cbc75319ea60f45eb114c2faad21f9
478dcb54e0a610a160a079656b9582de
4eead95202e6a0e4936f681fd5579582
7699ba4eab5837a4ad9d5d6bbedffc18
beb219abe2ba5e9fd7d51a178ac2caca
c2f8c9bb7df688d0a7030a96314bb493
c55eb07ef4c07e5ba63f7f0797dfd536
dc9d60ce5b3d071942be126ed733bfb8
http://137.175.17.172:1443/ac3.jar
http://137.175.17.172:1443/agent
http://137.175.17.172:1443/agent_w
http://137.175.17.172:41334
http://137.175.17.221:1443/ac.jar
http://137.175.17.221:1443/agent
http://137.175.17.221:1443/agent_w
http://137.175.17.221:48084
http://168.100.9.154:9090/Notification.msi
http://176.105.255.60/Xdw0FFtpuYWSLrVcAei5zg
http://176.105.255.60:49407
http://27.102.114.215:8000
http://27.102.128.152:8098/bit.ico
https://206.166.251.186/jquery-3.3.1.min.js