A sophisticated cyberattack campaign has recently emerged, targeting Apache Tomcat servers through the deployment of encrypted and encoded payloads designed to operate on both Windows and Linux systems. This campaign, identified as Tomcat Campaign 25, has been analyzed by security researchers at Aquasec, who noted its relatively recent inception.
Initial Access via Brute-Force Attacks
The attack sequence commences with brute-force attempts against Tomcat management consoles. Attackers utilize commonly weak credentials, such as the username Tomcat paired with the password 123456, to gain unauthorized access to vulnerable servers. Once access is achieved, the attackers swiftly move to exploit the compromised servers for various malicious activities.
Deployment of Malicious Web Shells
Upon successful credential compromise, attackers upload Java-based web shells to the infected servers. These web shells serve as backdoor loaders, enabling the execution of arbitrary code and establishing persistence mechanisms that allow attackers to maintain access even after system reboots. The initial phase involves deploying two malicious JSP files: the first functions as a backdoor loader, while the second handles persistence and privilege escalation.
Obfuscation Techniques and Payload Delivery
The attackers employ advanced obfuscation techniques to conceal their activities. A notable method involves hiding secondary payloads behind misleading 404 error pages. For instance, visiting the malicious website https://www.dbliker.top/w presents users with a standard Page Not Found error, while the actual malicious payload is embedded within the HTML code. This payload contains multiple layers of encoding, complicating detection efforts.
Extraction of SSH Credentials and Lateral Movement
After executing the payload, the malware searches for SSH credentials using commands like:
“`
KEYS=$(find ~/ /root /home -maxdepth 2 -name ‘id_rsa’|grep -vw pub)
“`
Extracted SSH credentials enable attackers to move laterally within the victim’s network, expanding their control over additional systems.
Cryptocurrency Mining Operations
In addition to credential theft, the malware deploys a cryptominer that connects to mining pools, effectively hijacking server resources for cryptocurrency mining operations. The malware exhibits advanced evasion capabilities, masquerading as legitimate kernel processes with names like [cpuhp/0] to avoid detection while optimizing CPU consumption for more efficient mining.
Indicators of Compromise and Attribution
Code snippets within the malware suggest possible connections to Chinese-speaking threat actors. However, this could potentially be a misdirection technique employed by the attackers to obscure their true origin. The domains used for payload delivery were registered as recently as February 2025, indicating the campaign’s recent initiation.
Mitigation Strategies
To protect against such attacks, organizations should implement the following measures:
1. Strengthen Authentication Mechanisms: Enforce strong, unique passwords for all administrative interfaces and consider implementing multi-factor authentication (MFA) to reduce the risk of brute-force attacks.
2. Regularly Update and Patch Systems: Ensure that all software, including Apache Tomcat, is up-to-date with the latest security patches to mitigate known vulnerabilities.
3. Monitor for Unusual Activity: Implement continuous monitoring solutions to detect and respond to anomalous activities, such as unexpected file uploads or changes in system behavior.
4. Restrict Access to Management Consoles: Limit access to management interfaces to trusted IP addresses and consider placing them behind a VPN or other secure access mechanisms.
5. Conduct Regular Security Audits: Perform periodic security assessments to identify and remediate potential vulnerabilities within the network infrastructure.
By adopting these proactive security measures, organizations can enhance their defenses against sophisticated attack campaigns targeting Apache Tomcat servers and safeguard their critical assets from unauthorized access and exploitation.
