Full Report
On 2024-01-18, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, targeting Apache ActiveMQ to achieve Resource hijacking. The following tools were observed: Godzilla.
Analysis Summary
# Tool/Technique: Godzilla
## Overview
Godzilla is a sophisticated web shell utilized by threat actors to maintain persistence and execute arbitrary commands on compromised web servers. In this reported campaign, it was observed being deployed after initial compromise of Apache ActiveMQ via a recent vulnerability.
## Technical Details
- Type: Tool (Web Shell)
- Platform: Web Servers (specifically observed targeting Apache ActiveMQ instances)
- Capabilities: Remote command execution, file management, database interaction, and establishing persistence.
- First Seen: Associated with this specific campaign on 2024-01-18.
## MITRE ATT&CK Mapping
- **TA0001** - Initial Access
- **T1190** - Exploit Public-Facing Application (Leveraged through the 1-day vulnerability in Apache ActiveMQ)
- **TA0003** - Persistence
- **T1505.003** - Server Software: Web Shell
- **TA0002** - Execution
- **T1059** - Command and Scripting Interpreter
- **T1059.005** - Command and Scripting Interpreter: Visual Basic Script (Web shells often support multiple scripting/language contexts)
## Functionality
### Core Capabilities
- **Remote Control:** Allowing the attacker to execute system commands remotely via web requests.
- **File System Operations:** Uploading, downloading, editing, and deleting files on the victim server.
- **Database Interaction:** Capabilities often include direct database querying (e.g., MySQL, MSSQL).
### Advanced Features
- **Stealthy Deployment:** As a web shell, it masquerades as a legitimate application file within the web directory structure.
- **Resource Hijacking:** The ultimate impact mentioned is resource hijacking, implying the shell is used to leverage the server's resources for malicious activities (e.g., cryptocurrency mining, launching further attacks).
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: Primarily observed as a deployed web shell file (specific name not detailed, but typically named to blend in).
- Registry Keys: [Not applicable to a deployed web shell on a Linux/Web server context unless used for lateral movement post-exploitation]
- Network Indicators: [C2 communication occurs via standard HTTP/HTTPS requests to the deployed web shell URL]
- Behavioral Indicators: Anomalous POST requests containing command parameters or serialized shell payloads targeting the web application path.
## Associated Threat Actors
- ❓Unknown (Actor utilizing this initial access vector and tool combination is currently unattributed according to the report source).
## Detection Methods
- **Signature-based detection:** Signatures targeting known Godzilla payload files or command strings within HTTP requests.
- **Behavioral detection:** Monitoring for HTTP requests to unusual file extensions or newly created/modified files in web application directories that exhibit characteristics of dynamic code execution.
- **YARA rules:** Rules targeting known markers or unique code snippets associated with the Godzilla web shell implementation.
## Mitigation Strategies
- **Prevention measures:** Patching the 1-day vulnerability in Apache ActiveMQ immediately upon publication.
- **Hardening recommendations:** Implement strict Content Security Policy (CSP) where possible; enforce least privilege for the web server process; restrict write access to web application directories. Network segmentation to isolate web servers.
## Related Tools/Techniques
- Other general-purpose web shells like China Chopper, WSO2 Shell, or various JSP/ASPX shells.
---
# Tool/Technique: 1-Day Vulnerability (Targeting Apache ActiveMQ)
## Overview
This refers to an unpatched vulnerability present in the Apache ActiveMQ software that the unknown actor exploited to gain initial access to the target environment. This exploit led directly to the deployment of the Godzilla web shell, resulting in resource hijacking.
## Technical Details
- Type: Technique
- Platform: Apache ActiveMQ (Messaging Broker)
- Capabilities: Allowed unauthorized code execution or command injection, leading to remote code execution (RCE) or file write capabilities necessary to deploy the web shell.
- First Seen: Exploited around 2024-01-18.
## MITRE ATT&CK Mapping
- **TA0001** - Initial Access
- **T1190** - Exploit Public-Facing Application
## Functionality
### Core Capabilities
- Exploitation of a flaw in the Apache ActiveMQ application logic or deserialization/parsing routines.
### Advanced Features
- The exploit was immediately leveraged to drop and execute the Godzilla payload, indicating confidence in achieving remote code execution (RCE) or similar capabilities.
## Indicators of Compromise
- File Hashes: [Not specific to the vulnerability exploitation itself, but relevant to artifacts dropped post-exploitation, like the Godzilla shell.]
- File Names: [Initial exploitation mechanism artifacts are likely transient.]
- Network Indicators: Traffic characteristic of exploiting the known ActiveMQ flaw (e.g., specific payload structure in requests to the ActiveMQ management interface).
- Behavioral Indicators: Successful execution of code outside of the expected application logic path on the ActiveMQ server process.
## Associated Threat Actors
- ❓Unknown
## Detection Methods
- **Signature-based detection:** Signatures targeting the specific exploit payload used against the ActiveMQ service.
- **Behavioral detection:** Monitoring the ActiveMQ service for outbound connections or file creation activities that deviate from normal operational messages.
- **Vulnerability Scanning:** Running specific checks for the unpatched version of ActiveMQ.
## Mitigation Strategies
- **Prevention measures:** Immediate patching of Apache ActiveMQ to the vendor-released version that addresses the 1-day flaw.
- **Hardening recommendations:** Ensuring ActiveMQ is not directly exposed to the internet if possible, or placing it behind a robust WAF/firewall limiting access only to necessary internal consumers/administrators.
## Related Tools/Techniques
- Exploitation chains involving known communication application vulnerabilities (e.g., RCE via message broker flaws).