Keypoints
- Attackers exploit CVE-2023-46604 in Apache ActiveMQ by sending crafted OpenWire packets (typically to port 61616) that cause the server to unmarshal attacker-controlled classes and load remote XML application configuration files.
- Public proof-of-concept code and technical details for the vulnerability are available, accelerating exploitation and widespread weaponization.
- Multiple payload families have been observed dropped via this exploit, including GoTitan (Golang botnet), PrCtrl Rat (.NET RAT), Sliver implants, Kinsing (cryptojacker), and Ddostf (DDoS toolset).
- GoTitan behavior: downloaded from HTTP URLs, persists via cron and file replication, collects system info, sends C2 heartbeats, and supports numerous DDoS methods (UDP/TCP/HTTP/TLS/RAW/etc.).
- PrCtrl Rat is delivered as an .NET binary (stored as svc_veeam.exe), achieves persistence via a Run registry key, connects to a hard-coded C2, and supports remote command execution and file upload/download.
- Kinsing and Ddostf use bash/batch scripts fetched from remote servers to configure the environment, remove competing miners, install binaries/services, set cronjobs, and clear traces.
- The report lists concrete IOCs (IP addresses, download URLs, filenames, and file hashes) tied to observed campaigns exploiting this ActiveMQ vulnerability.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attacker “initiates a connection to ActiveMQ through the OpenWire protocol, typically on port 61616. By transmitting a crafted packet, the attacker triggers the system to unmarshal a class under their control.”
- [T1105] Ingress Tool Transfer – Payloads are fetched over HTTP, e.g., GoTitan “downloaded from a malicious URL, ‘hxxp://91.92.242.14/main-linux-amd64s’.”
- [T1053.005] Scheduled Task/Job: Cron – GoTitan “establishes a recurring execution by registering in the cron” to maintain persistence.
- [T1547.001] Registry Run Keys/Startup Folder – PrCtrl Rat achieves persistence by adding “Security Service” into “HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun.”
- [T1071.001] Application Layer Protocol: Web Protocols – Sliver implants communicate via HTTP to C2 “91[.]92[.]240[.]41” with encoded C2 traffic and dynamic decoders.
- [T1498] Endpoint Denial of Service – GoTitan “supports ten different methods of launching distributed denial-of-service (DDoS) attacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.”
- [T1082] System Information Discovery – GoTitan “gathers essential information about the compromised endpoint, including architecture, memory, and CPU details” and sends it to C2.
- [T1070.004] Indicator Removal on Host: File Deletion – Kinsing and other scripts perform cleanup actions, e.g., “Clears command history and removes bash history files.”
Indicators of Compromise
- [IP] payload/C2 infrastructure – 91.92.242.14 (GoTitan download), 173.214.167.155 (PrCtrl Rat C2), and 5 more IPs observed in campaigns.
- [URLs/Download] HTTP-hosted binaries and scripts – hxxp://91.92.242.14/main-linux-amd64s (GoTitan), hxxp://199.231.186.249:8000/unifo.dat (PrCtrl Rat), and other download URLs.
- [File names] dropped or used for persistence – svc_veeam.exe (PrCtrl Rat), unifo.dat (original .NET file), and /.mod (GoTitan drop), plus artifacts like c.log.
- [Domains/Hosts] C2/hosts referenced in XMLs – 91[.]92[.]240[.]41 (Sliver C2), 185[.]122[.]204[.]197 (Kinsing cron fetch), and other hosts used for scripts.
- [File hashes] malware/sample hashes – f75cb3e5…b01b607, dbf8ba47…ee1a3f, and 9 more hashes listed in the report.
The exploitation sequence begins with an attacker connecting to an exposed ActiveMQ instance (OpenWire, typically port 61616) and sending a crafted packet that causes the server to unmarshal attacker-controlled classes. The exploit leverages ClassPathXmlApplicationContext to load a malicious XML configuration from a network location; that XML instructs the JVM to load and execute attacker-supplied code (for example, setting parameters like “cmd” or “bash” to execute shell commands). Public PoC code and technical details are available, which has accelerated opportunistic exploitation.
Once exploited, the server fetches payloads over HTTP. Observed toolchains include GoTitan (Golang binary downloaded from hxxp://91.92.242.14/main-linux-amd64s), which copies itself to /.mod, registers cron jobs for persistence, logs status to c.log, enumerates system details (architecture, memory, CPU), constructs C2 messages prefixed with “Titan” and heartbeats “xFExFE”, and implements multiple DDoS methods (UDP/TCP/HTTP/TLS/RAW/etc.). Sliver implants use HTTP-based C2 at 91[.]92[.]240[.]41 with selectable encoders/decoders (Base32/Base58/Base64/Gzip/Hex/PNG) to exchange commands and binaries.
Additional payloads include PrCtrl Rat (downloaded as unifo.dat and saved as svc_veeam.exe), which adds a Run-key “Security Service” for persistence, connects to 173[.]214[.]167[.]155, validates received command lengths, and supports commands such as cmdc (execute cmd.exe), file (enumerate filesystem), upld/dnld (file transfer), and ping (heartbeat). Kinsing and Ddostf are deployed via bash/batch scripts (e.g., 194[.]38[.]22[.]53/acb.sh and 42[.]121[.]111[.]112:81/xml.sh) to prepare the environment, remove competing miners, install services/cronjobs, verify/download binaries with checksums, and clear history to evade detection.
Read more: https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq