Threat Actors Exploit Two-Year-Old Apache ActiveMQ Flaw to Deploy DripDropper Malware on Linux Systems
Cybersecurity researchers from Red Canary have observed threat actors exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy a previously unknown malware downloader called DripDropper.
In an unusual twist, the attackers patched the very vulnerability they exploited to prevent other malicious actors from leveraging it, allowing them to maintain stealthy long-term access.
ActiveMQ Vulnerability Under Heavy Exploitation
The exploited flaw, tracked as CVE-2023-46604 with a CVSS score of 10.0, is a remote code execution vulnerability that allows attackers to run arbitrary shell commands on vulnerable systems. Apache addressed it in October 2023, but multiple threat actors continue to exploit it to deploy malware, including:
- HelloKitty ransomware
- Linux rootkits
- GoTitan botnet malware
- Godzilla web shell
DripDropper: A Stealthy Downloader
Once access is obtained, the attackers modify sshd configurations to enable root login, granting elevated privileges and the ability to drop DripDropper, a PyInstaller ELF binary.
Key features of DripDropper include:
- Requires a password to execute, making analysis harder
- Communicates with attacker-controlled Dropbox accounts to fetch commands and payloads
- Drops two files: one for process monitoring and Dropbox communication, the other for SSH configuration changes to maintain persistence
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Persistence and Defense Evasion
DripDropper achieves persistence by modifying the 0anacron file in /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly.
The second file contacts Dropbox for instructions and alters SSH configurations as a backup access mechanism. Finally, the attackers download Apache Maven patches to remediate CVE-2023-46604, preventing other threat actors from exploiting the same vulnerability.
“Patching the vulnerability does not disrupt their operations as they already established other persistence mechanisms for continued access,” Red Canary researchers said.
A Rare but Growing Technique
While uncommon, patching an exploited vulnerability to block competitors has been observed previously. France’s national cybersecurity agency ANSSI reported a similar tactic last month by a China-linked initial access broker.
Trending: Using Favicon for OSINT
Trending: Offensive Security Tool: RingReaper
Security Recommendations
This campaign underscores the need for organizations to:
- Apply patches promptly to prevent exploitation of known flaws
- Limit access to internal services using IP whitelisting or VPNs
- Monitor cloud logs for anomalous activity to detect suspicious behavior early
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
