A clever new Linux malware is breaking into systems – and then shutting the door behind it to avoid detection

• Researchers spot cybercriminals abuse bug to access a cloud Linux server
• The hackers then proceeded to patch the flaw, closing the doors behind them
• There could be different reasons for fixing flaws

A hacker was recently spotted patching someone’s vulnerable cloud Linux instance – but they did not do it out of the goodness of their heart.

Security researchers Red Canary observed a threat actor abusing a maximum severity flaw, tracked as CVE-2023-46604, to break into a cloud Linux system.

The vulnerability is found in Apache ActiveMQ, and grants persistent access, among other things – but however, after breaking in, they patched the bug, essentially locking the doors behind them.

DripDropper

Red Canary argues that there are different reasons why a cybercriminal might fix a problem after exploiting it, including locking out other adversaries, or hiding their tracks.

The latter makes a lot of sense, especially knowing that cybercriminals often fight for control over different compromised endpoints.

Besides patching the flaw, the hackers did a number of things, including installing the Sliver implant, which granted them unrestricted access to the system.

They also modified the existing sshd configuration file to enable root login, and after that installed a previously unknown downloader that Red Canary named “DripDropper”.

The downloader itself is rather advanced, requiring a password to run, which hinders sandbox analysis.

It communicates with the threat actors via a Dropbox account that has hardcoded bearer tokens, and since Dropbox and similar platforms (Telegram, or Discord) are not malicious by nature, the traffic blends in and is harder to spot. Finally, DripDropper is most likely used to deploy two separate pieces of malware.

Red Canary says that vulnerable web servers are one of the most common initial access vectors to Linux systems.

“Given the prevalence of *NIX-based, or Unix-like systems in modern infrastructure, particularly in rapidly expanding cloud environments, ensuring they’re protected is essential,” the researchers said.

“This requires the development of specialized incident response strategies tailored to the complexities of both cloud architectures and Linux environments and ensuring defenders are equipped with effective, actionable guidance to safeguard these critical assets.”

You might also like

• A new Linux backdoor is hitting US universities and governments
• Take a look at our guide to the best authenticator app
• We’ve rounded up the best password managers