Regardless of being hid inside an unknown kind of binary, the JSP code was picked and run by the Java net server as a sound script.
“Apparently, the Jetty JSP engine, which is the built-in net server in Apache ActiveMQ, truly parsed, compiled and executed the embedded Java code that was encapsulated within the unknown binary,” TrustWave stated. “Additional examination of the Java code generated by Jetty confirmed that the net shell code was transformed into Java code and due to this fact was executed.”
This assault technique can efficiently circumvent safety measures, evading detection by safety endpoints throughout scanning.
Godzilla deploys a multi-functional backdoor
As soon as the JSP code is efficiently deployed, risk actors can use the net shell by way of the Godzilla administration consumer interface to achieve full management over the goal system.
The Godzilla net shell contains a set of malicious functionalities, together with viewing community particulars, conducting port scans, executing MimiKatz and MeterPeter instructions, working shell instructions, remotely managing SQL databases, and injecting shellcode into processes.
Dropping Godzilla isn’t the primary abuse of the bug because it has been, since its public disclosure in Oct 2023, actively exploited by attackers for crypto mining, distant entry trojans and ransomware. Affected variations embrace Apache ActiveMQ 5.18.0 (earlier than 5.18.3), 5.17.0 (earlier than 5.17.6), 5.16.0 (earlier than 5.16.7), and Apache ActiveMQ earlier than 5.15.16.
