GoTitan Botnet Discovered Targeting Recent Apache ActiveMQ Vulnerability

A critical security vulnerability affecting Apache ActiveMQ has recently been revealed, with threat actors actively exploiting it to deploy a new Go-based botnet named GoTitan alongside a remote access tool called PrCtrl Rat. This latter program facilitates remote control of compromised systems.

The assaults are centered around a remote code execution vulnerability (CVE-2023-46604, CVSS score: 10.0) that has gained traction among various hacking groups, including the notorious Lazarus Group, in recent weeks. Following exploitation, the attackers deploy secondary payloads from remote servers, notably the GoTitan botnet, engineered for executing distributed denial-of-service (DDoS) attacks utilizing a range of protocols, including HTTP, TCP, and TLS.

“The attackers supply binaries exclusively for x64 architectures, accompanied by pre-execution checks by the malware,” explained Fortinet Fortiguard Labs researcher Cara Lin in a recent analysis. This initial phase of deployment suggests that GoTitan is still undergoing development, as indicated by a debug log named “c.log” that tracks execution times and statuses.

In addition to GoTitan, Fortinet has documented instances of other DDoS botnets, including Ddostf, and malware like Kinsing that targets cryptojacking, all leveraging the same vulnerability in Apache ActiveMQ. Moreover, a command-and-control (C2) framework called Sliver is also being deployed alongside these attacks.

The remote access trojan, PrCtrl Rat, is particularly concerning. It establishes a connection to a C2 server, allowing for command execution, file harvesting, and additional uploads and downloads. “Currently, we have yet to receive communications from the server, leaving the exact intent behind this tool somewhat ambiguous,” Lin noted. “Nevertheless, its infiltration equips the remote server with significant control over the compromised system.”

These ongoing exploits pose significant risks to organizations operating Apache ActiveMQ, especially when considering the potential tactics aligned with the MITRE ATT&CK framework. Initial access methods such as exploitation of remote services, persistence through backdoor installation, and privilege escalation techniques could be effectively utilized by adversaries. Businesses are urged to evaluate their security postures and apply necessary patches to mitigate the risks associated with this vulnerability.