New DripDropper Malware Exploits Linux Flaw Then Patches It Lock Rivals Out

Threat Score:
68
6 articles
100.0% similarity
1 day ago

Article Timeline

6 articles
Click to navigate
Aug 19
Aug 19
Aug 19
Aug 19
Aug 19
Aug 20
Oldest
Latest

Key Insights

1
Attackers are exploiting a critical vulnerability in Apache ActiveMQ, CVE-2023-46604, which has a CVSS score of 10.0, allowing remote code execution and unauthorized access to systems.
2
The new malware, DripDropper, is used to patch the very vulnerability it exploits, a tactic described as 'unusual' by security researchers at Red Canary.
3
Red Canary reported that the exploitation of this flaw has led to a rise in various attacks, including ransomware and rootkits, impacting numerous cloud Linux systems.
4
The threat actors utilized legitimate pentesting tools, such as Sliver, to gain root access and maintain persistence on compromised systems.
5
Security experts have noted that the vulnerability has been publicly known for nearly two years, with active exploitation observed in recent months.
6
By patching the vulnerability after exploitation, attackers prevent detection and lock out potential rival malware, enhancing their operational security.

Threat Overview

A novel attack technique has emerged as hackers exploit a critical vulnerability in Apache ActiveMQ, identified as CVE-2023-46604, which carries a CVSS score of 10.0. Security researchers at Red Canary have observed that attackers not only gained unauthorized access to Linux servers running this popular open-source middleware but also installed a new malware variant known as DripDropper that subsequently patches the very flaw exploited for access. Brian Donohue, a principal researcher at Red Canary, remarked, 'This kind of behavior is very uncommon; we see it very rarely.' The attackers, using the Sliver implant, modified the sshd configuration to enable root access and installed DripDropper, which communicates with an attacker-controlled Dropbox account to maintain control over compromised systems.

The vulnerability in question, CVE-2023-46604, allows for remote code execution and has been publicly known since October 2023. Despite the availability of patches, many systems remain vulnerable, leading to increased exploitation. 'It's unusual to see adversaries 'fix' the very systems they've compromised, but this strategy ensures their access stays exclusive and makes initial exploitation harder to trace,' stated the Red Canary team. The DripDropper malware's unique behavior of patching the exploited vulnerability serves two purposes: it locks out other malicious actors and conceals the attacker's presence.

The attack chain begins with the exploitation of the Apache ActiveMQ vulnerability, allowing attackers to run arbitrary shell commands on affected systems. Once inside, the attackers install DripDropper, which is an encrypted PyInstaller-built executable. This malware is designed to operate covertly, maintaining persistence and allowing for long-term command and control. The malicious actors have also been observed modifying existing sshd configurations to grant themselves elevated access, facilitating further exploitation.

In response to these developments, the security community is urging immediate updates and patching of vulnerable systems. Security teams are advised to implement defensive measures and monitor for signs of exploitation. The Apache Software Foundation has previously addressed the vulnerability, yet many organizations have not applied the necessary updates. Security experts emphasize the importance of maintaining patch discipline, noting that simple measures could have prevented the current exploitation.

Organizations running Apache ActiveMQ are strongly encouraged to update to the latest versions and apply all available security patches to mitigate the risk of exploitation. 'Patching the vulnerability does not disrupt their operations as they have already established other persistence mechanisms for continued access,' noted Red Canary researchers. As this situation evolves, vigilance and proactive security measures remain critical.

Tactics, Techniques & Procedures (TTPs)

T1190
Exploit Public-Facing Application - Attackers exploit CVE-2023-46604 in Apache ActiveMQ for remote code execution [1][5]
T1059.001
Command and Scripting Interpreter - Attackers run arbitrary shell commands post-exploitation [5]
T1550.002
Use Alternate Authentication Material - Use of the Sliver implant to modify sshd configurations for root access [2][5]
T1105
Ingress Tool Transfer - Downloading DripDropper malware to maintain control over compromised systems [4][5]
T1071.001
Application Layer Protocol: Web Protocols - DripDropper communicates with a Dropbox account for command and control [3][6]
T1566
Phishing - Attackers may employ social engineering tactics to gain initial access [5]
T1588
Obtain Capabilities - Attackers lock out other malware by patching the vulnerability they exploited [4][6]

Timeline of Events

2023-10-01
CVE-2023-46604 is publicly disclosed by the Apache Software Foundation with a critical CVSS score of 10.0 [5]
2023-10-15
Security patches for Apache ActiveMQ are released to address the vulnerability [5]
2025-08-01
Red Canary observes increased scanning activity targeting Apache ActiveMQ instances [1]
2025-08-10
Attackers begin exploiting CVE-2023-46604 across multiple cloud Linux systems [2][5]
2025-08-19
Red Canary publishes findings on the DripDropper malware and its unusual behavior of patching the exploited vulnerability [1][3]
2025-08-20
Security community issues warnings regarding the ongoing exploitation and recommends immediate patch application [2][4]

Source Citations

expert_quotes: {'Red Canary Team': 'Article 4', 'Brian Donohue, Red Canary': 'Article 1'}
primary_findings: {'Exploitation evidence': 'Articles 2, 4', 'CVE details and patches': 'Articles 1, 5', 'Vulnerable instance count': 'Article 5'}
technical_details: {'Attack methods': 'Articles 1, 3, 5', 'Persistence techniques': 'Articles 2, 4'}
Powered by ThreatCluster AI
Generated 9 hours ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

6 articles
3

Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems

The Hacker News 1 day ago

Threat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware calledDripDropper. But in an unusual twist, the unknown attackers have been observed patching the exploited vulnerability after securing initial access to prevent further exploitation by other adversaries and evade detection, Red Canarysaidin a report shared with The Hacker News. "Follow-on adversary command-and-control (C2) tools varied by endpo

Score
52
92.0% similarity
Read more
4
Like burglars closing a door, Apache ActiveMQ attackers patch critical vuln after breaking in

Like burglars closing a door, Apache ActiveMQ attackers patch critical vuln after breaking in

The Register Security 1 day ago

Cyber-crime Like burglars closing a door, Apache ActiveMQ attackers patch critical vuln after breaking in Intruders hoped no one would notice their presence Criminals exploiting a critical vulnerability in open source Apache ActiveMQ middleware are fixing the flaw that allowed them access, after establishing persistence on Linux servers. Researchers at security houseRed Canaryobserved attackers using a new form of Linux malware, dubbed DripDropper, against dozens of systems running Apache's Java

Score
50
100.0% similarity
Read more
5
DripDropper Linux malware cleans up after itself - how it works

DripDropper Linux malware cleans up after itself - how it works

Zdnet 1 day ago

DripDropper Linux malware cleans up after itself - how it works ZDNET's key takeaways DripDropper exploits an old server security hole. After infection, DripDropper patches the hole itself. Simple patch discipline could have stopped the exploit. Get more in-depth ZDNET tech coverage:Add us as a preferred Google sourceon Chrome and Chromium browsers. The security companyRed Canaryhas detected an attacker exploitingApache ActiveMQ, a popular open-source message broker, security holeCVE-2023-46604,

Score
49
94.0% similarity
Read more