DreamBus botnet attacks corporate applications on Linux servers

Zscaler analysts reported about the new DreamBus botnet that attacks corporate applications on Linux servers. It is a variation of the SystemdMiner malware that appeared back in 2019.

DreamBus has received a number of improvements over SystemdMiner. For example, the botnet mainly targets enterprise applications running on Linux systems, including PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and SSH.

Some of them are subject to brute-force attacks, during which malware tries to use default credentials, while others are attacked by exploits for old vulnerabilities.

The main task of DreamBus is to allow its operators to gain a foothold on the server so that they can download and install an open source miner for mining the Monero cryptocurrency (XMR). In addition, some of the infected servers are used as bots to expand the botnet, as further brute force attacks and search for other possible targets.

Also, Zscaler experts note that DreamBus is well protected from detection.

Many of the DreamBus modules are poorly detected by security products. This is in part because Linux-based malware is less common than Windows-based malware, and thus receives less scrutiny from the security community.write Zscaler researchers.

For example, all systems infected with malware communicate with the botnet’s control server using the new DNS-over-HTTPS (DoH) protocol, and the hacker’s C&C server is hosted in Tor.

The DreamBus malware exhibits worm-like behavior that is highly effective in spreading due its multifaceted approach to propagating itself across the internet and laterally through an internal network using a variety of methods. These techniques include numerous modules that exploit implicit trust, weak passwords, and unauthenticated remote code execution (RCE) vulnerabilities in popular applications, including Secure Shell (SSH), IT administration tools, a variety of cloud-based applications, and databases.report Zscaler experts.

Researchers warn that while the botnet may seem harmless, as distributes only a cryptocurrency miner, but in the future, DreamBus operators can easily switch to using more dangerous payloads, including ransomware.

Let me remind you that I also wrote about the fact that new worm for Android spreads rapidly via WhatsApp.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *