Aug 19, 2025Ravie LakshmananLinux / Malware
Risk actors are exploiting an almost two-year-old safety flaw in Apache ActiveMQ to achieve persistent entry to cloud Linux techniques and deploy malware referred to as DripDropper.
However in an uncommon twist, the unknown attackers have been noticed patching the exploited vulnerability after securing preliminary entry to forestall additional exploitation by different adversaries and evade detection, Crimson Canary mentioned in a report shared with The Hacker Information.
“Comply with-on adversary command-and-control (C2) instruments different by endpoint and included Sliver, and Cloudflare Tunnels to keep up covert command and management over the long run,” researchers Christina Johns, Chris Brook, and Tyler Edmonds mentioned.
The assaults exploit a maximum-severity safety flaw in Apache ActiveMQ (CVE-2023-46604, CVSS rating: 10.0), a distant code execution vulnerability that might be exploited to run arbitrary shell instructions. It was addressed in late October 2023.
The safety defect has since come beneath heavy exploitation, with a number of risk actors leveraging it to deploy a variety of payloads, together with HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla internet shell.
Within the assault exercise detected by Crimson Canary, the risk actors have been noticed leveraging the entry to change present sshd configurations to allow root login, granting them elevated entry to drop a beforehand unknown downloader dubbed DripDropper.
A PyInstaller Executable and Linkable Format (ELF) binary, DripDropper requires a password to run in a bid to withstand evaluation. It additionally communicated with an attacker-controlled Dropbox account, as soon as once more illustrating how risk actors are more and more counting on professional providers to mix in with common community exercise and sidestep detection.
The downloader in the end serves as a conduit for 2 recordsdata, certainly one of which facilitates a different set of actions on completely different endpoints, starting from course of monitoring to contacting Dropbox for additional directions. Persistence of the dropped file is achieved by modifying the 0anacron file current in /and so forth/cron.hourly, /and so forth/cron.day by day, /and so forth/cron.weekly, /and so forth/cron.month-to-month directories.
The second file dropped by DripDropper can be designed to contact Dropbox for receiving instructions, whereas additionally altering present configuration recordsdata associated to SSH, possible as a backup mechanism for persistent entry. The ultimate stage entails the attacker downloading from Apache Maven patches for CVE-2023-46604, successfully plugging the flaw.
“Patching the vulnerability doesn’t disrupt their operations as they already established different persistence mechanisms for continued entry,” the researchers mentioned.
Whereas actually uncommon, the approach isn’t new. Final month, France’s nationwide cybersecurity company ANSSI detailed a China-nexus preliminary entry dealer using the identical method to safe entry to techniques and stop different risk actors from utilizing the shortcomings to get in and masks the preliminary entry vector used within the first place.
The marketing campaign provides a well timed reminder for why organizations want to use patches in a well timed trend, restrict entry to inner providers by configuring ingress guidelines to trusted IP addresses or VPNs, and monitor logging for cloud environments to flag anomalous exercise.
