Despite being concealed within an unknown type of binary, the JSP code was picked and run by the Java web server as a valid script.
“Interestingly, the Jetty JSP engine, which is the integrated web server in Apache ActiveMQ, actually parsed, compiled and executed the embedded Java code that was encapsulated in the unknown binary,” TrustWave said. “Further examination of the Java code generated by Jetty showed that the web shell code was converted into Java code and therefore was executed.”
This attack method can successfully circumvent security measures, evading detection by security endpoints during scanning.
Godzilla deploys a multi-functional backdoor
Once the JSP code is successfully deployed, threat actors can use the web shell through the Godzilla management user interface to gain complete control over the target system.
The Godzilla web shell features a set of malicious functionalities, including viewing network details, conducting port scans, executing MimiKatz and MeterPeter commands, running shell commands, remotely managing SQL databases, and injecting shellcode into processes.
Dropping Godzilla isn’t the first abuse of the bug as it has been, since its public disclosure in Oct 2023, actively exploited by attackers for crypto mining, remote access trojans and ransomware. Affected versions include Apache ActiveMQ 5.18.0 (before 5.18.3), 5.17.0 (before 5.17.6), 5.16.0 (before 5.16.7), and Apache ActiveMQ before 5.15.16.
