Cybersecurity researchers caution about a significant rise in threat actor activity exploiting a recently patched flaw in Apache ActiveMQ. This exploitation aims to deliver the Godzilla web shell on compromised hosts.
New Godzilla Web Shell Attacks
“The web shells are hidden within an undisclosed binary format, crafted to elude security and signature-based scanners,” Trustwave stated. “Remarkably, despite the unfamiliar file format, ActiveMQ’s JSP engine persists in compiling and executing the web shell.”
CVE-2023-46604 (CVSS score: 10.0) denotes a critical vulnerability in Apache ActiveMQ, facilitating remote code execution. Since its public disclosure in late October 2023, malicious actors have actively exploited it to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.
In the most recent intrusion set identified by Trustwave, vulnerable instances have been subjected to JSP-based web shells that are implanted within the “admin” folder of the ActiveMQ installation directory.
The web shell, known as Godzilla, is a feature-rich backdoor with the capability to parse incoming HTTP POST requests, execute the content, and provide the results through an HTTP response.
Security researcher Rodel Mendrez highlighted the significance of these malicious files, noting, “What sets these files apart is the apparent concealment of JSP code within an unknown binary format. This method has the potential to bypass security measures, eluding detection by security endpoints during scanning.”
Upon closer inspection of the attack chain, it becomes apparent that the web shell code undergoes conversion into Java code before its execution by the Jetty Servlet Engine.
The JSP payload ultimately empowers the threat actor to establish a connection to the web shell via the Godzilla management user interface, enabling complete control over the target host. This control facilitates the execution of arbitrary shell commands, viewing network information, and managing file operations.
Users of Apache ActiveMQ are strongly advised to promptly update to the latest version to mitigate potential threats.
IoC:
MD5:
- 5e6993bba5e8e72a4899d6ddfb167972
- f257b2669b15ca2792625d0bce00d907
- 5b4871092491a51477a13af5030c76b7
SHA256:
- 233adf5d3c754ead3f304a4891d367884dd615d74d9983119546bebb346b7bf7
- 5da5796d407a0099aa624b1ea73a877a5197b3b31529d94f2467dce19fe3a74a
- f97c6c820694a059c7b0b2f3abe1f614b925dd4ab233d11472b062325ffb67be
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment