Cybercriminals Exploit ActiveMQ Flaw to Spread GoTitan Botnet, PrCtrl Rat

Cybercriminals Exploit ActiveMQ Flaw to Spread GoTitan Botnet, PrCtrl Rat

The ActiveMQ flaw has been patched, but despite this, numerous threat actors continue to exploit it.

The recently discovered GoTitan botnet is built on the Golang programming language, whereas PrCtrl Rat is a .NET program.

Fortinet’s FortiGuard Labs published new research highlighting that a critical Apache ActiveMQ vulnerability tracked as CVE-2023-46604 is under active exploitation by numerous threat actors.

Despite the release of a patch a month ago, FortiGuard researchers continue to identify various malware strains exploiting a known flaw. The persistent exploitation by cybercriminals is concerning, as it allows them to execute arbitrary code on susceptible servers.

FortiGuard Labs’ report has brought attention to several new threats, such as the emergence of a Golang-based botnet named GoTitan and a .NET program called PrCtrl Rat, which possesses remote control capabilities.

Apache recently issued an advisory regarding a vulnerability related to the deserialization of untrusted Apache data. The Cybersecurity and Infrastructure Security Agency (CISA) has categorized this flaw in its Known Exploited Vulnerabilities (KEV) catalogue, underscoring its high risk and potential impact.

Researchers claim that this flaw is currently being exploited to distribute various malware strains, including GoTitan, PrCtrl Rat, Kinsing, Silver, and Ddostff.

Silver, designed as an advanced penetration testing tool and red teaming framework, has the capability to support various callback protocols, including TCP, DNS, and HTTP(S). Kinsing malware specializes in supporting cryptojacking operations and can exploit newly discovered security vulnerabilities. On the other hand, Ddostff botnet has been widely employed in Distributed Denial of Service (DDoS) attacks since 2016.

GoTitan, a recently uncovered botnet, is coded in the Go programming language. Users typically download this botnet from a malicious URL, and it is currently compatible with x64 architectures. Upon installation, the botnet initiates a system scan and generates a debug file named c.log to document execution time and status.

Following its initial installation, GoTitan replicates itself as .mod within the system, establishing a recurring execution by registering in the Cron. To facilitate communication, the botnet retrieves the Command and Control (C2) IP address. It utilizes this connection to transmit stolen data, encompassing details about the infected device, such as memory, CPU specifications, and architecture information.

According to Fortinet Labs’ blog post, for data transmission, it uses “<==>” as separators. The message starts with “Titan<==>” whereas it communicates with the C2 by sending “FE FE” as a heartbeat signal and waits for further instructions. GoTitan supports ten different methods of launching DDoS attacks.

The exploitation process begins with the attacker establishing a connection to the ActiveMQ server using the OpenWire protocol, commonly on port 61616. Subsequently, the attacker sends a carefully crafted packet, inducing the system to unmarshal a class under their control.

This action prompts the vulnerable server to fetch and load a class configuration XML file from a designated remote URL. Within this malicious XML file, arbitrary code is defined, aiming to execute on the compromised machine.

Cybercriminals Exploit ActiveMQ Flaw to Spread GoTitan Botnet, PrCtrl Rat
GoTiten and PrCtrl Rat’s XML file (Credit: FortiGuard Labs

Technical details and proof-of-concept (PoC) code for the vulnerability are publicly accessible. Users are advised to stay vigilant against active exploits by Sliver, Kinsing, and Ddostf. Prioritizing system updates and patching is crucial, and regular monitoring of security advisories is recommended to effectively mitigate the risk of exploitation.

  1. Fake Super Mario 3 Installers Drop Crypto Miner, Data Stealer
  2. Microsoft Azure Exploited to Create Undetectable Cryptominer
  3. Hackers actively exploiting 0-day in Ubiquitous Apache Log4j tool
  4. Golang malware infecting Windows, Linux servers with XMRig miner
  5. Nitrokod Crypto Miner Hiding in Fake Microsoft, Google Translate Apps
Related Posts