Trustwave reports a surge in attacks exploiting CVE-2023-46604 in Apache ActiveMQ, delivering a stealthy Godzilla Webshell via a JSP payload. The JSP is embedded in a binary wrapper that Jetty executes, giving attackers full control through a feature-rich web shell. #GodzillaWebshell #ActiveMQ #OpenWire #CVE-2023-46604 #Trustwave #SpiderLabs #Jetty #Mimikatz #Meterpreter #ApacheActiveMQ
Keypoints
- Increased malicious activity targeting CVE-2023-46604 in Apache ActiveMQ, with PoC exploits circulating since Oct 2023 and deployments including crypto-miners, rootkits, ransomware, and remote access trojans.
- A suspicious JSP file dropped into the ActiveMQ admin directory encapsulates a binary payload designed to evade security scanners.
- The malicious code is parsed by the Jetty JSP engine, converted to Java, and executed on the server side.
- The payload delivers the Godzilla Webshell, enabling the threat actor to import a full management interface and perform extensive post-exploitation activities.
- Godzilla capabilities include network discovery, port scanning, credential dumping (Mimikatz), Meterpreter commands, shell execution, SQL DB management, process injection, and file management.
- Affected ActiveMQ versions are listed with recommended upgrades to fixed releases (5.15.16, 5.16.7, 5.17.6, or 5.18.3) including legacy OpenWire modules.
MITRE Techniques
- [T1203] Exploitation for Client Execution – Attackers exploit CVE-2023-46604 to execute arbitrary shell commands on the target. ‘Exploiting this vulnerability enables threat actors to potentially gain unauthorized access to a target system by executing arbitrary shell commands.’
- [T1027] Obfuscated/Compressed Files and Information – The web shells are concealed within an unknown binary format to evade security and signature-based scanners. ‘web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners.’
- [T1046] Network Service Discovery – After deployment, attackers view network details and perform port scans. ‘Viewing network details’ and ‘Conducting port scans.’
- [T1055] Process Injection – The web shell injects code into other processes. ‘Injecting shellcode into processes.’
- [T1003] Credential Dumping – The web shell can run Mimikatz commands to harvest credentials. ‘Executing Mimikatz commands.’
- [T1059] Command and Scripting Interpreter – The web shell runs Meterpreter commands and shell commands. ‘Running Meterpreter commands’ and ‘Executing shell commands.’
Indicators of Compromise
- [CVE] – CVE-2023-46604 – Vulnerability exploited to gain unauthorized access via unsafe deserialization in OpenWire.
- [Software Version] – Affected Apache ActiveMQ versions: 5.18.0 before 5.18.3; 5.17.0 before 5.17.6 (plus other listed versions in article)
- [MD5] – 5e6993bba5e8e72a4899d6ddfb167972, f257b2669b15ca2792625d0bce00d907
- [SHA256] – 233adf5d3c754ead3f304a4891d367884dd615d74d9983119546bebb346b7bf7, 5da5796d407a0099aa624b1ea73a877a5197b3b31529d94f2467dce19fe3a74a, f97c6c820694a059c7b0b2f3abe1f614b925dd4ab233d11472b062325ffb67be
- [HTTP Header] – Godzilla’s default protocol header includes User-Agent and other headers: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0; Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8; Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
- [Binary] – Unknown binary with ‘FLR’ magic header encapsulating the JSP payload.
- [YARA] – Godzilla_webshell pattern (example: strings such as ‘payload’, ‘X(ClassLoader z)’) as part of detection rule.