Unmasking the Exploitation of Apache ActiveMQ's Security Flaw: The Rise of GoTitan and PrCtrl Rat

In the ever-evolving landscape of cyber threats, the recent revelation of a critical security flaw in Apache ActiveMQ has raised alarm bells. This vulnerability is being exploited with increasing frequency, leading to the distribution of a new Go-based botnet, GoTitan, and a .NET program called PrCtrl Rat, both capable of remotely taking over infected hosts.

This wave of cyberattacks capitalizes on a remote code execution bug (CVE-2023-46604, CVSS score: 10.0), which has been commandeered by various hacking groups, including the notorious Lazarus Group, in recent weeks.

Once the security breach is successfully executed, threat actors proceed to drop next-stage payloads from a remote server. One such payload is GoTitan, a botnet engineered to execute distributed denial-of-service (DDoS) attacks via various protocols, including HTTP, UDP, TCP, and TLS.

Cara Lin, a researcher at Fortinet Fortiguard Labs, notes, "The attacker only provides binaries for x64 architectures, and the malware performs some checks before running. It also creates a file named 'c.log' that records the execution time and program status. This file seems to be a debug log for the developer, which suggests that GoTitan is still in an early stage of development."

In addition to GoTitan, Fortinet has observed instances where the vulnerable Apache ActiveMQ servers are being targeted to deploy another DDoS botnet called Ddostf, Kinsing malware for cryptojacking, and a command-and-control (C2) framework named Sliver.

Another significant malware being disseminated is a remote access trojan called PrCtrl Rat. This malicious program establishes contact with a C2 server, receiving additional commands for execution on the system, harvesting files, and downloading and uploading files from and to the server.

Lin adds, "As of this writing, we have yet to receive any messages from the server, and the motive behind disseminating this tool remains unclear. However, once it infiltrates a user's environment, the remote server gains control over the system."

This recent series of attacks underscore the critical importance of maintaining up-to-date security measures and vigilance in the face of increasingly sophisticated cyber threats.

Original at The Hacker News

Know more. Investigate better.