• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
  • T8-24-02-M-NE-CDL

  • JNDI Injection RCE + Backdoor(with ARCANUS Tool)

    This attack is a combination of T2-24–02–S–N–CL and T5-24-02-S-E-DL, and two logs are collected: pcap and log.

    1. Attacker runs a JNDI server to deliver malicious responses
    2. Forward Idap quries to server that uses a vulnerable version of Apache Kafka software
    3. Download and execute Backdoor using RCE vulnerability
    4. Establish Reverse Shell and execute commands cause from Backdoor malware

    The T2-24-02-S-N-CL attack leverages a JNDI injection vulnerability in the Apache Kafka software to allow attackers to download and execute the Backdoor malware via remote command. The Backdoor malware causes the program to establish a Reverse Shell session and execute arbitrary commands.

    •  


  • OS IP Software Log collection
    time    		 Program
    runtime
    Attacker Windows 11 192.168.56.1 - 60 sec 100 sec
    Victim Ubuntu 22.04 192.168.56.120 Apache Druid 25.0.0

  • Installing
  • python3 -m pip install -r requirements.txt

  • Using
  • python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2024_02_T8_{time}.pcap # YYmmdd_HHMMSS
    ./log/2024_02_T8_{time}.xml # YYmmdd_HHMMSS



  • References
  • [1] NIST [CVE-2023-25194]
    [2] Medium - Victor Park [Apache Kafka 보안 업데이트 권고]
    [3] Apache KAFKA [Apache Kafka Security Vulnerabilities]
    [4] Apache Druid 25.0.0 [Download]
    [5] Naver BLOG [칼리 리눅스 아르카누스로 악성코드 만들기]
    [6] Boannews [해커가 사랑하는 마법의 문 ‘백도어’]
    [7] Github - EgeBalci [ARCANUS]

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2024 02
    • T1-24–02–S–N–CIKM
    • T2-24–02–S–N–CL
    • T3-24–02–S–N–CL
    • T4-24-02-S-E-M
    • T5-24-02-S-E-DL
    • T6-24-02-S-E-DEGN
    • T7-24-02-M-NE-CDEGLN
    • T8-24-02-M-NE-CDL
    • T9-24-02-M-NE-CLH
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.