Cybersecurity researchers are warning of a "notable increase" in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts.
"The web shells are concealed within an unknown binary format and are designed to evade security and signature-based scanners," Trustwave said. "Notably, despite the binary's unknown file format, ActiveMQ's JSP engine continues to compile and execute the web shell."
CVE-2023-46604 (CVSS score: 10.0) refers to a severe vulnerability in Apache ActiveMQ that enables remote code execution. Since its public disclosure in late October 2023, it has come under active exploitation by multiple adversaries to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.
In the latest intrusion set observed by Trustwave, susceptible instances have been targeted by JSP-based web shells that are planted within the "admin" folder of the ActiveMQ installation directory.
The web shell, named Godzilla, is a functionality-rich backdoor capable of parsing inbound HTTP POST requests, executing the content, and returning the results in the form of an HTTP response.
"What makes these malicious files particularly noteworthy is how the JSP code appears to be concealed within an unknown type of binary," security researcher Rodel Mendrez said. "This method has the potential to circumvent security measures, evading detection by security endpoints during scanning."
A closer examination of the attack chain shows that the web shell code is converted into Java code prior to its execution by the Jetty Servlet Engine.
The JSP payload ultimately allows the threat actor to connect to the web shell through the Godzilla management user interface and gain complete control over the target host, facilitating the execution of arbitrary shell commands, viewing network information, and handling file management operations.
Users of Apache ActiveMQ are highly recommended to update to the latest version as soon as possible to mitigate potential threats.