GoTitan Botnet and PrCtrl RAT Exploit Apache Vulnerability

Written by

Threat actors have been observed exploiting a critical vulnerability, CVE-2023-46604, in Apache systems. 

Over the past few weeks, Fortiguard Labs identified multiple threat actors leveraging this vulnerability to unleash several malware strains.

Among the discoveries is the emergence of a newly discovered Golang-based botnet named GoTitan. This sophisticated botnet has raised concerns due to its ability to disseminate diverse malware strains. 

GoTitan has been observed downloading from a malicious URL and exhibits a specific focus on x64 architectures. Furthermore, the malware, while still in an early stage of development, replicates itself within systems, establishes recurring execution through cron registration and collects essential information about compromised endpoints.

A .NET program called PrCtrl Rat has also surfaced as a cyber-threat targeting the Apache flaw. The malicious software, equipped with remote control capabilities, uses a .NET framework, allowing it to execute commands and potentially establish a persistent presence on compromised systems.

Furthermore, the researchers have pinpointed the presence of other familiar malware and tools in the ongoing exploits. Sliver, created as an advanced penetration testing tool and red teaming framework, has been used maliciously by threat actors. It supports diverse callback protocols such as DNS, TCP and HTTP(S), simplifying exit processes. 

Fortiguard added that Kinsing has also established itself as a force in cryptojacking operations, demonstrating a swift ability to exploit newly uncovered vulnerabilities. 

Read more on these attacks: Flaw in Apache ActiveMQ Exposes Linux Systems to Kinsing Malware

The team also identified Ddostf, a malware strain with a track record dating back to 2016, which maintains its adeptness in executing precise Distributed Denial of Service (DDoS) attacks, including using the mentioned Apache flaw.

According to an advisory published by Fortinet on Tuesday, the severity of the situation is highlighted by the fact that despite a critical advisory from Apache and the issuance of a patch over a month ago, threat actors persist in exploiting CVE-2023-46604.

“Users should remain vigilant against ongoing exploits by Sliver, Kinsing, and Ddostf,” reads the technical write-up. “It is crucial to prioritize system updates and patching and regularly monitor security advisories to effectively mitigate the risk of exploitation.”

What’s hot on Infosecurity Magazine?