Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)

2023-11-27 Ahnlab

https://asec.ahnlab.com/en/59318/

Thumbnail for Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604)

ASEC reports that Andariel is suspected of exploiting Apache ActiveMQ CVE-2023-46604 to install malware on targeted systems. The activity delivered NukeSped and TigerRat backdoors, with follow-on commands observed for downloading additional payloads and executing malicious scripts. The report places the activity in Andariel's broader targeting of South Korean organizations and its history of using vulnerability exploitation alongside spear phishing, watering-hole, supply-chain, Log4Shell, TeamCity, and MS-SQL server attacks.

Indicators of Compromise

Type Value First Seen Last Seen
HASH c2f8c9bb7df688d0a7030a96314bb493 2023-11-10 2024-07-25
HASH 7699ba4eab5837a4ad9d5d6bbedffc18 2023-11-17 2023-11-27
HASH 11ec319e9984a71d80df1302fe77332d 2023-11-17 2023-11-27
HASH c55eb07ef4c07e5ba63f7f0797dfd536 2023-11-17 2023-11-27
HASH 31cbc75319ea60f45eb114c2faad21f9 2023-11-17 2023-11-27
HASH 478dcb54e0a610a160a079656b9582de 2023-11-17 2023-11-27
HASH dc9d60ce5b3d071942be126ed733bfb8 2023-11-17 2023-11-27
HASH beb219abe2ba5e9fd7d51a178ac2caca 2023-11-17 2023-11-27
HASH 26ff72b0b85e764400724e442c164046 2023-11-17 2023-11-27
HASH 4eead95202e6a0e4936f681fd5579582 2023-11-17 2023-11-27
HASH 160f7d2307bbc0e8a1b6ac03b8715e4f 2023-11-17 2023-11-27
IPv4 206.166.251.186 2023-11-17 2023-11-27
IPv4 137.175.17.172 2023-11-17 2023-11-27
IPv4 27.102.114.215 2023-11-17 2023-11-27
IPv4 137.175.17.221 2023-11-17 2023-11-27
IPv4 168.100.9.154 2023-11-17 2023-11-27
IPv4 176.105.255.60 2023-11-17 2023-11-27
IPv4 27.102.128.152 2023-11-10 2023-11-27

Related Actors

First seen: Jul 2017
Last seen: May 2026

Related Reports

« Back