New DripDropper malware exploits then patches Linux cloud flaw
Red Canary has reported the discovery of new Linux downloader malware, named 'DripDropper', which targets cloud-based Linux servers operating Apache ActiveMQ and employs novel techniques to maintain persistent and covert access.
According to Red Canary's threat intelligence team, the threat actor behind the campaign initially exploited the Apache ActiveMQ vulnerability CVE-2023-46604 to gain access to affected systems. Unusually, after gaining control, the attacker proceeded to patch the very same vulnerability, thereby preventing other malicious actors from exploiting it and retaining exclusive access to the compromised server.
Red Canary's threat intelligence analysis highlighted that this approach serves dual purposes: "It may seem counterintuitive for an adversary to fix a compromised system after gaining remote access but in many scenarios the motivation can be twofold. It's a great way to potentially lock out other adversaries, ensuring their foothold remains exclusive. It can also obscure the adversary's initial access technique."
The investigation found that the attacker executed reconnaissance commands across numerous cloud-based Linux endpoints vulnerable to this critical remote code execution issue in Apache ActiveMQ, an open-source message broker. Previous security research identified similar vulnerabilities being exploited for ransomware and cryptomining malware such as TellYouThePass, Ransomhub, HelloKitty, and Kinsing.
For ongoing access, the attacker leveraged a variety of command and control (C2) tools, including Sliver, an open-source tool designed for penetration testing, and Cloudflare Tunnels. After establishing C2, the attacker altered the sshd configuration to permit root logins, which is disabled by default in most security-hardened Linux environments. With root access, the attacker downloaded and executed DripDropper.
DripDropper's operation
DripDropper is described by Red Canary as an encrypted PyInstaller Executable and Linkable Format (ELF) file, requiring a specific password for execution. This encryption complicates sandbox analysis and detection. The malware communicates with a Dropbox account controlled by the adversary, using a hardcoded bearer token, to receive further instructions or updates. The precise contents of communications with Dropbox remain undetermined by researchers, but the interactions typically lead to the creation of two malicious files on the infected system.
The nature and location of the first dropped file depend on the execution parameters of DripDropper, with functionality observed ranging from process monitoring to more Dropbox communication. To ensure persistence, DripDropper modifies the 0anacron scheduled task configuration, allowing automatic re-execution.
The second file receives a random eight-character name and generally modifies system configuration files, especially those related to SSH access. This includes changing the default login shell for the 'games' user account to provide another route for system access.
Patching to evade detection
As Red Canary shared, "Finally, the adversary used curl to download two ActiveMQ JAR files from repo1[.]maven[.]org , a domain belonging to Apache Maven. These two JAR files constitute a legitimate patch for CVE-2023-46604. By deleting the existing JAR files and replacing them, the adversary effectively patched the already compromised system. We assess the adversary likely did this to reduce detection via common methods, such as vulnerability scanners, and to effectively reduce the likelihood of being spotted by defenders due to another adversary being detected when attempting to exploit the vulnerability. Adversaries have employed this technique with other CVEs. Patching the vulnerability does not disrupt their operations as they already established other persistence mechanisms for continued access."
Use of platforms such as Dropbox for C2 communications is not unique to DripDropper and has been adopted by other malware families to blend in with legitimate traffic, making detection more difficult.
Business risk and cloud security considerations
The level of access gained by the attacker creates significant risks for affected organisations. The attacker is capable of monitoring environments, altering security controls, and deploying further malware through DripDropper. Red Canary notes the rarity of using encrypted PyInstaller ELF files for Linux malware, a technique more commonly seen in Windows environments.
Red Canary highlighted: "As cloud environments and containerization have led to an increase in Linux environments, adversaries have adapted by increased attacks and tradecraft development for Linux. The patching of the vulnerability to prevent competition underscores how prevalent exploitation can be. It highlights the risks of assuming a clean vulnerability scan means a secure system."
"It is also a reminder that patch implementation should be well-documented and occur in a timely manner, to avoid the risk of an adversary doing it for you. While mitigation and detection details differ, adversaries have the same objectives on Linux. They achieve persistence through system scheduled execution, blend their filenames and location choices as much as possible, and choose C2 channels that are common in legitimate traffic."
Red Canary recommends a multi-layered defence strategy for cloud and Linux systems, including robust host-level hardening, automated configuration management to maintain proper SSH configurations, running web services as non-root users, and restricting network access through ingress controls and least privilege.
The company also advocates immediate patching of known vulnerabilities, especially high-severity issues such as CVE-2023-46604, with comprehensive documentation of who applied patches and why, as a best practice for incident response. Supplementary measures include configuring robust logging and using monitoring tools suited to cloud environments in order to detect abnormal or malicious behaviour swiftly.
Red Canary's findings underscore the ongoing need for vigilance and proactive security management in cloud-based Linux environments, particularly where widely adopted services such as Apache ActiveMQ are deployed.
