Cybersecurity researchers have warned of a “significant increase” in activity from threat actors actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on infected hosts.
“The web shell hides in an unknown binary format and is designed to evade security and signature-based scanners,” Trustwave said. “It is worth noting that despite the unknown binary file format, ActiveMQ’s JSP engine continues to compile and Execute web shell.”
CVE-2023-46604 (CVSS score: 10.0) refers to a critical vulnerability in Apache ActiveMQ that enables remote code execution. Since its public disclosure in late October 2023, it has been actively exploited by multiple adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.
In the latest set of intrusions observed by Trustwave, vulnerable instances have been targeted with JSP-based web shells implanted in the “admin” folder of the ActiveMQ installation directory.
This web shell, called Godzilla, is a feature-rich backdoor capable of parsing inbound HTTP POST requests, executing the content and returning the results as an HTTP response.
“What makes these malicious files particularly noteworthy is that the JSP code appears to be hidden in an unknown type of binary file,” said security researcher Rodel Mendrez. “This method has the potential to bypass security measures and evade security during scanning. Detection of endpoints.”
Close examination of the attack chain shows that the web shell code is converted to Java code before being executed by the Jetty Servlet engine.
The JSP payload ultimately allows the threat actor to connect to a web shell through the Godzilla administrative user interface and gain full control over the target host, thereby facilitating the execution of arbitrary shell commands, viewing network information, and processing file management operations.
Apache ActiveMQ users are strongly recommended to update to the latest version as soon as possible to mitigate potential threats.
