Regardless of being hid inside an unknown kind of binary, the JSP code was picked and run by the Java net server as a legitimate script.
“Curiously, the Jetty JSP engine, which is the built-in net server in Apache ActiveMQ, really parsed, compiled and executed the embedded Java code that was encapsulated within the unknown binary,” TrustWave stated. “Additional examination of the Java code generated by Jetty confirmed that the net shell code was transformed into Java code and subsequently was executed.”
This assault methodology can efficiently circumvent security measures, evading detection by security endpoints throughout scanning.
Godzilla deploys a multi-functional backdoor
As soon as the JSP code is efficiently deployed, menace actors can use the net shell by the Godzilla administration consumer interface to realize full management over the goal system.
The Godzilla net shell contains a set of malicious functionalities, together with viewing community particulars, conducting port scans, executing MimiKatz and MeterPeter instructions, operating shell instructions, remotely managing SQL databases, and injecting shellcode into processes.
Dropping Godzilla isn’t the primary abuse of the bug because it has been, since its public disclosure in Oct 2023, actively exploited by attackers for crypto mining, distant entry trojans and ransomware. Affected variations embody Apache ActiveMQ 5.18.0 (earlier than 5.18.3), 5.17.0 (earlier than 5.17.6), 5.16.0 (earlier than 5.16.7), and Apache ActiveMQ earlier than 5.15.16.