Malicious actors have been observed exploiting a critical vulnerability, CVE-2023-46604, in Apache systems.
Over the past few weeks, Fortiguard Labs has identified several malicious actors leveraging this vulnerability to release multiple strains of malware.
Among the findings is the emergence of a new Golang-based botnet called GoTitan. This sophisticated botnet has raised concerns due to its ability to spread various strains of malware.
GoTitan has been observed downloading from a malicious URL and has a particular focus on x64 architectures. Additionally, the malware, although still in an early stage of development, replicates within systems, establishes recurring execution via cron logging, and collects critical information about compromised endpoints.
A .NET program called PrCtrl Rat has also emerged as a cyber threat targeting the Apache vulnerability. The malware, with remote control capabilities, uses a .NET framework, allowing it to execute commands and potentially establish a persistent presence on compromised systems.
Additionally, researchers identified the presence of other familiar malware and tools in the ongoing exploits. Sliver, created as an advanced penetration testing tool and red teaming framework, has been used maliciously by threat actors. It supports various callback protocols such as DNS, TCP, and HTTP(S), thereby simplifying egress processes.
Fortiguard added that Kinsing has also established itself as a force in cryptojacking operations, demonstrating its rapid ability to exploit newly discovered vulnerabilities.
Learn more about these attacks: Flaw in Apache ActiveMQ exposes Linux systems to Kinsing malware
The team also identified Ddostf, a malware strain with a history dating back to 2016, which maintains its ability to execute precise distributed denial of service (DDoS) attacks, including using the mentioned Apache flaw.
According to a advisory published Tuesday by Fortinet, the seriousness of the situation is highlighted by the fact that despite a critical advisory from Apache and the release of a patch more than a month ago, malicious actors persist in exploiting CVE-2023-46604.
“Users should remain vigilant against ongoing exploits from Sliver, Kinsing, and Ddostf,” the tech note reads. “It is crucial to prioritize system updates and patches and regularly monitor security advisories to effectively mitigate exploitation risk. »