Hackers Deploy DripDropper via Apache ActiveMQ Flaw, Patch Systems to Evade Detection
Red Canary researchers have observed hackers exploiting a 2-year-old Apache ActiveMQ vulnerability, tracked as CVE-2023-46604 (CVSS score of 10.0), to gain persistence on cloud Linux systems and deploy DripDropper malware. What's unique about this attack is that the attackers patched the flaw post-exploit to block rivals and evade detection.
A Apache ActiveMQ is an open-source message broker software that serves as a message-oriented middleware (MOM) platform, providing messaging and communication capabilities to various applications. It is developed by the Apache Software Foundation and written in Java. However, this seemingly secure system was compromised by attackers who used tools like Sliver and Cloudflare Tunnels to maintain long-term access.
In one case, they altered SSH settings to allow root logins, giving them full control over the system. They then deployed a new malware downloader dubbed DripDropper, adding another layer of persistence to their attack. This malware is packaged as an encrypted PyInstaller ELF that requires a password to run, making analysis harder.
DripDropper connects to a Dropbox account via a hardcoded token and drops two malicious files. The first varies in behavior, such as process monitoring or fetching more commands, and persists by altering cron jobs. The second, with a random name, also contacts Dropbox and often tampers with SSH configs, enabling persistent access through accounts like games.
Exactly how much data is exchanged between the two malicious files remains unknown. However, it's clear that DripDropper is a stealthy Linux malware that requires a password to run, making it harder for security researchers to analyze and track its behavior.
The Clever Trick: Patching the Vulnerability
What makes this attack particularly clever is how the attackers patched the vulnerability themselves. They used curl to download two ActiveMQ JAR files from repo1[.]maven[.]org, a domain belonging to Apache Maven. These two JAR files constitute a legitimate patch for CVE-2023-46604.
By deleting the existing JAR files and replacing them, the attackers effectively patched the already compromised system. This move is likely intended to reduce detection via common methods, such as vulnerability scanners, and to make it harder for defenders to spot the attack.
The Impact of Patching
According to Red Canary, patching the vulnerability does not disrupt the attackers' operations, as they have already established other persistence mechanisms to maintain persistent access. This highlights the importance of keeping software up-to-date and monitoring for potential security breaches.
Rapid7 researchers also reported suspected exploitation attempts of the CVE-2023-46604 flaw to deploy HelloKitty ransomware in two different customer environments. Trustwave researchers observed a surge in attacks exploiting the same flaw in January 2024, often aimed at delivering a malicious code that borrows from the open-source web shell Godzilla.
A Call to Action
Red Canary concludes that securing cloud and *NIX-based environments demand a multi-layered approach. This includes regular software updates, monitoring for potential security breaches, and implementing robust security measures to detect and prevent attacks like this one.
As the threat landscape continues to evolve, it's essential for organizations to stay vigilant and proactive in defending against sophisticated attacks like DripDropper. By staying informed and taking steps to secure their systems, they can reduce the risk of falling victim to these types of breaches.
Stay Safe Online
If you're concerned about the security of your system or want to learn more about protecting yourself against threats like DripDropper, follow us on Twitter: @securityaffairs and Facebook and Mastodon for the latest news and updates.