19.08.2025
2 min
489
Cybercriminals are actively exploiting a critical Apache ActiveMQ vulnerability (CVE-2023-46604) in Linux cloud systems to deploy a new malware, DripDropper, paradoxically closing the hole after penetration to remain undetected.
According to Red Canary, the attacks begin by exploiting a critical RCE vulnerability, CVE-2023-46604, with a CVSS rating of 10.0, which allows arbitrary shell commands to be executed. Once accessed, the attackers modify the SSH configuration to log in as root, and then download DripDropper, a new loader packaged in a PyInstaller ELF binary that requires a password to run. It communicates with the attackers’ Dropbox account and serves as a channel for downloading two additional files: one provides process monitoring and command reception, the other modifies SSH configurations as a fallback access mechanism. To maintain stability, the malicious code modifies the system cron files in the /etc/cron.* directories. After that, the attackers even download official patches for ActiveMQ to “close the door” to competitors and not attract attention.
The CVE–2023–46604 vulnerability was closed back in October 2023, but is still widely exploited to deliver various malware families — from HelloKitty ransomware and Linux rootkits to GoTitan botnet and Godzilla web shell. A similar tactic — exploitation with subsequent patching — was previously recorded by French cyber experts from ANSSI in groups associated with China. The use of legal cloud services, such as Dropbox or Cloudflare Tunnels, has become a popular method of masking C2 activity.
The DripDropper campaign proves once again that hackers not only exploit holes, but also “clean up after themselves” so that others do not exploit the same vulnerabilities. This complicates attribution and investigation. To protect themselves, companies should urgently update systems, restrict access to internal services via VPN or IP filters, and carefully monitor event logs in cloud environments.
