Researchers from Red Canary report that hackers are using a new Linux malware called DripDropper. For these attacks, the criminals exploit a critical vulnerability in the open-source Apache ActiveMQ software and then patch the bug they exploited.
In their attacks, the threat actors are exploiting the old RCE vulnerability CVE-2023-46604, which scored 10 out of 10 on the CVSS scale and is rated critical. As a reminder, this bug was discovered and fixed in late October 2023. The issue allows attackers to execute arbitrary shell commands by leveraging serialized class types in the OpenWire protocol.
In the latest attacks, hackers install a backdoor on compromised systems and upload two Java Archive (JAR) files that effectively close the original vulnerability. Patching the bug after infection helps the attackers hide whatâs happening from vulnerability scanners.
âThis behavior is highly unusual, and we observe it extremely rarely,â the Red Canary team says. âIn the past, weâve seen this only once. Most criminals follow a âplug in and goâ approach; they rarely use such sophisticated tricks.â
Hackers gain access to victimsâ systems using the Sliver implant (a legitimate tool for pentesters that is often used by hackers), using it to modify the target machineâs sshd configuration file and obtain root access. They then deploy DripDropper â an encrypted ELF built with PyInstaller â which connects to a Dropbox account controlled by the attackers and uses it to manage the compromised Linux servers.
Experts note that DripDropper is password-protected, which complicates access and analysis of the malware.
âThe behavior of this file varies from case to case â from monitoring processes to reaching out to Dropbox for further instructions,â the Red Canary team reports. âDripDropper ensures persistent execution of the downloaded file by modifying the 0anacron file located in each /etc/cron.*/ directory. It also typically alters existing SSH-related configuration files, including changing the default login shell for the user account âgamesâ to /bin/sh. This presumably prepares the system by creating additional persistent access via the âgamesâ account, allowing attackers to execute shell commands.â
After installing the malware and patching the vulnerability, the attackers deliver new payloads into the system. These can include various infostealers, ransomware, or network access tools that hackers can use to move laterally across the network and infect other machines.
Researchers note that, in theory, CVE-2023-46604 shouldnât be an issue in 2025, since it was fixed two years ago. However, not everyone applies patches promptly, and vendors arenât helping matters. For example, Oracle released a patch for this vulnerability only in January of this year, even though experts repeatedly warned about attacks exploiting it.
2025.02.25 â More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article â
2025.01.22 â Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article â
2025.02.18 â Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article â
2025.01.24 â Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article â
2025.03.20 â 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article â
2025.03.07 â YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article â
2025.03.05 â Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article â
2025.02.05 â Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article â
2025.02.23 â New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article â
2025.02.08 â Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article â