A Stealthy Godzilla Webshell: A New Threat Targeting Apache ActiveMQ

In recent weeks, cybersecurity experts at Trustwave have detected a surge in cyberattacks exploiting vulnerabilities in Apache ActiveMQ hosts. These attacks have led to the discovery of a stealthy web shell known as the Godzilla Webshell that is concealed within an unknown binary format.

The root of this threat lies in a critical vulnerability designated as CVE-2023-46604 within the Apache ActiveMQ software. This vulnerability arises from unsafe deserialization practices in the OpenWire protocol, allowing malicious actors to execute arbitrary shell commands and potentially gain unauthorized access to target systems. The situation escalated with the public release of a proof-of-concept (PoC) exploit in October 2023, enabling threat actors to deploy a range of malicious payloads, including crypto-miners, rootkits, ransomware, and remote access trojans.

The malicious file was planted in the same directory of the Apache ActiveMQ admin page

Trustwave’s Global Threat Operations team recently stumbled upon a suspicious JSP (Java Server Pages) file within a server hosting a vulnerable instance of Apache ActiveMQ. What caught their attention was the fact that the malicious code was encapsulated within an unidentified binary structure, marked by a peculiar “FLR” magic header.

This JSP file was cunningly planted within the “admin” folder of the ActiveMQ installation directory, where server scripts for the administrative and web management console reside.

Further investigation revealed that this JSP code was from an open-source web shell known as the Godzilla Webshell. What made these files stand out was their use of an unknown binary format, which has the potential to bypass security measures and evade detection during scanning. The integrated Jetty JSP engine in Apache ActiveMQ surprisingly parsed, compiled, and executed the embedded Java code encapsulated within the unknown binary.

The enigmatic data in the binary was sent to the client’s browser using the “out.write()” function, resulting in the display of unintelligible characters when accessing the web shell from a browser. However, the web shell code itself was absent, as it had been transformed into Java code and executed on the server side.

Once the JSP payload is successfully exploited and deployed, threat actors gain access to the Godzilla Webshell’s management user interface, providing them with complete control over the compromised system.

The Godzilla Webshell is a powerful tool in the hands of malicious actors, offering a wide range of functionalities, including:

1. Viewing network details
2. Conducting port scans
3. Executing Mimikatz commands
4. Running Meterpreter commands
5. Executing shell commands
6. Remotely managing SQL databases
7. Injecting shellcode into processes
8. Handling file management tasks

To mitigate the threat posed by the Godzilla Webshell and the underlying CVE-2023-46604 vulnerability, users are strongly advised to upgrade both brokers and clients to one of the following versions: 5.15.16, 5.16.7, 5.17.6, or 5.18.3. These versions contain fixes that address the vulnerability.

The discovery of the Godzilla Webshell within the context of the Apache ActiveMQ vulnerability CVE-2023-46604 serves as a stark reminder of the evolving threat landscape in cybersecurity. The use of unknown binary formats to conceal web shells adds a layer of complexity to the detection and mitigation of such threats. Organizations are urged to stay vigilant, promptly patch their systems, and employ advanced security measures to safeguard their assets from emerging threats like the Godzilla Webshell.