Multiple threat actors have been observed exploiting a recently patched critical vulnerability in Apache ActiveMQ to disseminate several malware strains, including Sliver, Kinsing, and Ddostf.
The vulnerability in question is CVE-2023-46604, a remote code execution issue involving the deserialization of untrusted data in Apache.
According to a new report from researchers at Fortiguard Labs, the flaw has been weaponized by a new Golang-based botnet dubbed “GoTitan” designed for launching distributed denial-of-service (DDoS) attacks via protocols such as HTTP, UDP, TCP, and TLS, and a .NET program called “PrCtrl Rat” that implements remote control capabilities.
GoTitan is downloaded from a malicious URL and is focused on x64 architectures.
“The attacker only provides binaries for x64 architectures, and the malware performs some checks before running. It also creates a file named "c.log" that records the execution time and program status. This file seems to be a debug log for the developer, which suggests that GoTitan is still in an early stage of development,” the researchers noted.
The malware replicates itself within the system and establishes a recurring execution. It then collects essential information about the compromised endpoint, including architecture, memory, and CPU details and sends the data to the attackers.
A command received from the command-and-control server (C2) is passed to a function named “handle_socket_func2” that determines an attack method. GoTitan supports ten different methods of launching distributed denial-of-service (DDoS) attacks, including UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.
Fortinet said it also observed instances where the vulnerable Apache ActiveMQ servers have been targeted to deploy another DDoS botnet called Ddostf, Kinsing cryptojacking malware, and a C2 framework named Sliver.