Redazione RHC : 20 August 2025 10:41
Red Canary specialists have discovered an unusual campaign using the new DripDropper malware, targeting Linux cloud servers. The attackers gained access via the CVE-2023-46604 vulnerability in Apache ActiveMQ, then gained a foothold in the system and installed a patch to close the very hole they had entered through.
This paradoxical move allowed them not only to cover their tracks, but also to block access to competitors, leaving the infected server under their complete control.
Analysts recorded the execution of reconnaissance commands on dozens of vulnerable hosts. On some of them, the attackers deployed remote control tools, from Sliver to Cloudflare tunnels, providing long-term secret communication with C2 servers. In one incident, they modified sshd settings, including root access, and launched the DripDropper downloader.
DripDropper is a ELF file created using PyInstaller, password-protected, and communicating with the attackers’ Dropbox account via a token. The tool creates additional malicious files, installs them on the system via cron, and makes changes to SSH configurations, opening new, stealthy access routes for operators. Using legitimate cloud services like Dropbox or Telegram as C2 channels allows malicious activity to masquerade as normal network traffic.
The final step of the attack was downloading and installing the official ActiveMQ JAR patches from the Apache Maven domain. In this way, the attackers closed the vulnerability through which they had penetrated, minimizing the risk of repeated compromise scans and interference from other hackers.
Experts point out that exploitation of CVE-2023-46604 continues despite its age and is being used not only for DripDropper, but also for the distribution of TellYouThePass, the HelloKitty malware, or the Kinsing miner.
To reduce risks, experts recommend that organizations strengthen the protection of Linux environments, especially in the cloud: use automated configuration management via Ansible or Puppet, prevent root access, run services as unprivileged users, implement Timely patching and controlling network access rules. Monitoring cloud environment logs also plays an important role, allowing for the early detection of suspicious activity.
The case clearly demonstrates that even a “fixed” vulnerability does not guarantee security if the fix was provided by the attackers themselves. Documenting updates and providing a timely response from administrators remain key factors in protecting critical systems.
Redazione