Threat actors are increasingly exploiting a recently patched flaw in the Apache ActiveMQ message broker to deliver the Godzilla web shell on targeted hosts, according to a new report from Trustwave.
The targeted vulnerability is CVE-2023-46604, a deserialization of untrusted data within the OpenWire protocol. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system. The bug was publicly disclosed in late October 2023 with a proof-of-concept code (PoC) made available, which led to multiple exploitation attempts by threat actors aiming to deliver crypto-miners, rootkits, ransomware, and remote access trojans.
In the latest attack observed by Trustwave, vulnerable hosts have been targeted by JSP-based web shells hidden within the ‘admin’ folder of the ActiveMQ installation directory.
“The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners. Notably, despite the binary's unknown file format, ActiveMQ's JSP engine continues to compile and execute the web shell,” the researchers noted.
The webshell, dubbed ‘Godzilla,’ is capable of viewing network details, conducting port scans, executing Mimikatz commands, running Meterpreter commands, executing shell commands, remotely managing SQL databases, injecting shellcode into processes, and handling file management tasks.
“Interestingly, the Jetty JSP engine which is the integrated web server in Apache ActiveMQ, actually parsed, compiled and executed the embedded Java code that was encapsulated in the unknown binary. Further examination of the Java code generated by Jetty showed that the web shell code was converted into Java code and therefore was executed, Trustwave said, noting that the tactic of hiding code within an unknown binary has the potential to bypass security measures, evading detection by security endpoints during scanning.
