Godzilla uses an unknown format to bypass security features.
Trustwave warns of a significant increase in the active use of a patched vulnerability in Apache ActiveMQ to deliver the Godzilla web shell to compromised hosts.
Web shells are hidden in an unknown binary format and are designed to bypass security systems and signature-based scanners. Notably, despite the unknown binary file format, ActiveMQ's JSP engine continues to compile and execute the web shell.
The CVE-2023-46604 flaw (CVSS score: 9.8) in Apache ActiveMQ makes Remote Code Execution (RCE) possible. Since its public disclosure at the end of October 2023, the bug has been actively exploited by multiple attackers to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.
In the latest set of intrusions detected by Trustwave, vulnerable instances were attacked by JSP-based web shells (Java Server Pages) located in the admin folder of the ActiveMQ installation directory. A web wrapper called Godzilla is a multifunctional backdoor that can analyze incoming HTTP POST requests, execute content, and return results as an HTTP response.
Malicious files are particularly notable because the JSP code is hidden inside a binary file of unknown type. This method helps you bypass security features by avoiding detection during scanning. A closer examination of the attack chain shows that the web shell code is converted to Java code before it is executed by Jetty's servlet engine (software components that extend the functionality of the web server).
The JSP payload ultimately allows a cybercriminal to connect to the web shell through the Godzilla management user interface and gain full control of the target host, making it easier to execute arbitrary shell commands, view network information, and perform file management operations. Apache ActiveMQ users are strongly encouraged to update to the latest version as soon as possible to minimize potential threats.
Trustwave warns of a significant increase in the active use of a patched vulnerability in Apache ActiveMQ to deliver the Godzilla web shell to compromised hosts.
Web shells are hidden in an unknown binary format and are designed to bypass security systems and signature-based scanners. Notably, despite the unknown binary file format, ActiveMQ's JSP engine continues to compile and execute the web shell.
The CVE-2023-46604 flaw (CVSS score: 9.8) in Apache ActiveMQ makes Remote Code Execution (RCE) possible. Since its public disclosure at the end of October 2023, the bug has been actively exploited by multiple attackers to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets.
In the latest set of intrusions detected by Trustwave, vulnerable instances were attacked by JSP-based web shells (Java Server Pages) located in the admin folder of the ActiveMQ installation directory. A web wrapper called Godzilla is a multifunctional backdoor that can analyze incoming HTTP POST requests, execute content, and return results as an HTTP response.
Malicious files are particularly notable because the JSP code is hidden inside a binary file of unknown type. This method helps you bypass security features by avoiding detection during scanning. A closer examination of the attack chain shows that the web shell code is converted to Java code before it is executed by Jetty's servlet engine (software components that extend the functionality of the web server).
The JSP payload ultimately allows a cybercriminal to connect to the web shell through the Godzilla management user interface and gain full control of the target host, making it easier to execute arbitrary shell commands, view network information, and perform file management operations. Apache ActiveMQ users are strongly encouraged to update to the latest version as soon as possible to minimize potential threats.
