You are currently viewing Exploitation in Progress: Apache ActiveMQ Vulnerability Used to Deliver DripDropper Malware

Exploitation in Progress: Apache ActiveMQ Vulnerability Used to Deliver DripDropper Malware

Executive Summary

A critical remote code execution (RCE) vulnerability in Apache ActiveMQ is being actively exploited to deliver DripDropper, a sophisticated malware designed for persistent access and stealthy operations on cloud systems. The vulnerability, identified as CVE-2023-46604, allows unauthenticated attackers to execute arbitrary shell commands. In a notable tactic, the attackers patch the vulnerability after exploitation to prevent other threat actors from using it and to cover their tracks.

Background on DripDropper

DripDropper serves as a specialized downloader within a broader attack framework that also employs other command-and-control (C2) tools like the open-source adversary simulation framework Sliver and Cloudflare Tunnels for long-term covert access. A key feature of the malware is its anti-analysis design; the ELF binary requires a specific password to execute, which complicates automated sandbox analysis. Once active, it drops two distinct malicious files. The first performs variable tasks like process monitoring, while the second, which has a randomly generated name, establishes a secondary C2 channel via Dropbox and creates a backup persistence mechanism by altering the SSH configuration for a non-standard user account.

Vulnerability Details

  • CVE-ID: CVE-2023-46604
  • CVSS Score: 10.0 (Critical)
  • EPSS Score: 99.98%
  • Vulnerability Type: Remote Code Execution (RCE).
  • Affected Versions: Apache ActiveMQ versions before 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
  • Impacted Systems: Any system running a vulnerable version of Apache ActiveMQ.

Infection Method

The DripDropper malware attack chain involves the following steps:

  1. Initial Access: Attackers scan for and identify publicly exposed, unpatched Apache ActiveMQ instances.
  2. Exploitation: The attackers exploit the CVE-2023-46604 vulnerability to gain initial access.
  3. Persistence and Privilege Escalation: The attackers modify the SSH configuration to allow root login, gaining elevated privileges and ensuring persistent access.
  4.  Malware Deployment: A downloader, dubbed “DripDropper”, is deployed on the compromised system.
  5. Post-Exploitation Patching: The attackers download and apply the official patch for CVE-2023-46604 to prevent further exploitation and hide their entry point.

Malware Behavior and Capabilities

DripDropper exhibits several advanced features:

  • Stealth: The malware is packaged as an encrypted PyInstaller ELF binary, making it difficult to analyze.
  • Command and Control (C2): DripDropper uses a legitimate service, Dropbox, for C2 communications, which helps it blend in with normal network traffic.
  • Persistence: The malware establishes long-term access by modifying cron jobs and SSH configurations.
  • Downloader Functionality: DripDropper acts as a downloader for additional malicious payloads.

Techniques and Tactics

TTP IDTechnique NameDescription
T1190Exploit Public-Facing ApplicationThe initial entry point is through the exploitation of the CVE-2023-46604 vulnerability in Apache ActiveMQ.
T1059Command and Scripting InterpreterThe vulnerability allows for the execution of arbitrary shell commands.
T1543Create or Modify System ProcessDripDropper modifies cron jobs to ensure its persistence.
T1070Indicator Removal on HostThe attackers patch the vulnerability post-exploitation to remove the initial indicator of compromise.
T1071Application Layer ProtocolThe malware uses Dropbox for C2 communications.
T1098Account ManipulationThe attackers modify SSH configurations to allow root login.

IOCs (Indicators of Compromise)

  • Domains:
    • repo1.maven.org (Used to download the patch)

Threat Actor Attribution

While the specific threat actor behind the DripDropper campaign remains unattributed, the critical vulnerability in Apache ActiveMQ (CVE-2023-46604) has become a popular entry vector for a diverse range of malicious operations since its disclosure. The ease of exploitation has attracted multiple threat actors, from cryptominers to ransomware gangs, who have adapted it for their own objectives.

Notable malware campaigns leveraging this vulnerability include:

Godzilla Web Shell: Other threat actors have been observed exploiting the vulnerability to drop the Godzilla web shell. This provides them with persistent, backdoor access to the compromised server, which can then be used for command execution, data theft, or as a staging point for further attacks within the network.

HelloKitty and RansomHub Ransomware: The HelloKitty ransomware gang was one of the initial groups observed exploiting this flaw. After the gang’s infrastructure was dismantled, affiliates, including the emerging RansomHub group, repurposed the exploit and source code. They use the vulnerability to gain initial access to target networks, ultimately deploying their ransomware to encrypt files and extort victims.

TellYouThePass Ransomware: This ransomware variant, which previously targeted Log4j vulnerabilities, was updated to incorporate an exploit for CVE-2023-46604. Attackers deploy it against both Windows and Linux systems, using the vulnerability for initial access before encrypting the victim’s data.

H2Miner Botnet: This cryptomining botnet uses the ActiveMQ vulnerability to compromise servers. Once inside, it disables other miners, terminates security services, and deploys a Monero (XMRig) miner to steal the victim’s computing resources for financial gain.

Impact

  • Remote System Takeover: The vulnerability allows for complete control of the affected system.
  • Data Exfiltration: Once compromised, the system can be used to steal sensitive data.
  • Lateral Movement: The compromised system can be used as a pivot point to move laterally within the network.
  • Deployment of Additional Malware: DripDropper can be used to download and execute other malware, such as ransomware.

Visual: DripDropper Attack Flow

[Attacker] -> [Exploit Apache ActiveMQ (CVE-2023-46604)] -> [Modify SSH for Root Login] -> [Deploy DripDropper] -> [C2 Communication (Dropbox)] -> [Download & Apply Patch]

Mitigation Steps

  1. Patch Firmware: Immediately upgrade Apache ActiveMQ to a patched version (5.15.16, 5.16.7, 5.17.6, 5.18.3, or later).
  2. Isolate Devices: If patching is not immediately possible, restrict access to the ActiveMQ service to trusted IP addresses or a VPN.
  3. Threat Hunting:
    • Monitor for any unusual network traffic, especially communications with cloud storage services like Dropbox.
    • Check for modifications to SSH configurations and cron jobs.
    • Review logs for any signs of exploitation, such as unexpected Java processes or shell commands.
  4. IOC Monitoring: Monitor for any known IOCs associated with this campaign.
  5. EDR/WAF Deployment: Use an Endpoint Detection and Response (EDR) solution and a Web Application Firewall (WAF) to detect and block malicious activity.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.