CVE-2023-46604 is a critical Remote Code Execution (RCE) vulnerability in Apache ActiveMQ. This vulnerability may allow a remote attacker with network access to a broker to run arbitrary commands due to an insecure deserialization in the OpenWire protocol.
The vulnerability is exploited through manipulation of the OpenWire protocol, enabling attackers to load malicious XML configuration files remotely. Once exploited, the vulnerability allows attackers to execute commands, create backdoors, and deploy various malware, including CoinMiners, Mauri ransomware, and tools for remote control like FRP (Fast Reverse Proxy). This tactic enables access to private network systems, bypassing network restrictions. Attackers also utilize backdoor accounts created via automated scripts and tools such as CreateHiddenAccount to maintain long-term access.
Further, threat actors deploy Quasar RAT, an open-source remote access tool, for keylogging, file access, and remote desktop functionality. Its configuration includes details such as the C&C server (18.139.156[.]111:4782) and mutex settings. Mauri ransomware, although initially developed for research purposes, has been identified on download servers used by attackers. The ransomware encrypts files with AES-256 CTR, creating ransom notes and targeting a wide range of file types while excluding system-critical paths. Attackers also leverage proxy tools like FRP to expose private network services, such as RDP, to external access.