The recently disclosed critical security flaw affecting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Mouse which enables remote control of infected hosts.
The attacks involve exploiting a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) that various hacking crews, including the Lazarus Group, have weaponized in recent weeks.
After a successful breach, threat actors have been observed to drop next-stage payloads from a remote server, one of which is GoTitan, a botnet designed for orchestrating distributed denial-of-service (DDoS) attacks through protocols such as HTTP, UDP, TCP, and TLS.
“The attacker only provides a binary for x64 architectures, and the malware performs some checks before running,” Fortinet Fortiguard Labs researcher Cara Lin SAYS in an analysis on Tuesday.
“It also creates a file named ‘c.log’ that records the execution time and state of the program. This file appears to be a debug log for the developer, suggesting that GoTitan is still in the early stages of development. progress.”
Fortinet said it also observed instances where Apache ActiveMQ servers were targeted to deploy another DDoS botnet called Ddostf, Kinsing malware for cryptojacking, and a command-and-control (C2) framework named Sliver.
Another notable malware delivered is a remote access trojan called PrCtrl Rat that establishes contact with a C2 server to receive additional commands for system execution, harvesting files, and downloading and uploading -upload files from and to the server.
“As of this writing, we have not received any messages from the server, and the motive for spreading this tool remains unclear,” Lin said. “However, once it infiltrates a user’s environment, the remote server gains control of the system.”