Researchers at Zscaler’s ThreatLabZ research team recently analyzed a Linux-based malware family, tracked as DreamBus Botnet, which is a variant of SystemdMiner. The bot is composed of a series of Executable and Linkable Format (ELF) binaries and Unix shell scripts.
The malware has a modular structure and its modules have a low detection rate. The DreamBus bot has a worm-like behavior that is highly effective, it is able to spread to systems that are not directly exposed to the internet by scanning private RFC 1918 subnet ranges for vulnerable systems
“These techniques include numerous modules that exploit implicit trust, weak passwords, and unauthenticated remote code execution (RCE) vulnerabilities in popular applications, including Secure Shell (SSH), IT administration tools, a variety of cloud-based applications, and databases.” reads the post published by Zscaler. “These particular applications are targeted because they often run on systems that have powerful underlying hardware with significant amounts of memory and powerful CPUs—all of which allow threat actors to maximize their ability to monetize these resources through mining cryptocurrency.”
Some modules have been designed to conduct brute-force attacks against SSH, PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, and SaltStack.
The botnet targets enterprise apps that run on Linux systems. In some cases, the apps are targeted with malicious commands sent to exposed API endpoints, or via exploits for older vulnerabilities.
The main feature for the DreamBus bot was to mine the XMRig Monero cryptocurrency miner, it can be also employed to deploy other payloads to carry out more other malicious activities (i.e. Ransomware, data theft).
“The main component of DreamBus has the ability to spread itself through SSH. This module is also downloaded over HTTP whenever an exploitation attempt is successful, typically through a number of hardcoded TOR domains. The HTTP request path to download the main DreamBus spreader module (after exploitation) is made in the format of the exploit that was successful.” continues the analysis.
Infected systems communicate with the C2 server via the new DNS-over-HTTPS (DoH) protocol to avoid detection, which is an uncommon feature for malware.
The C2 server for the DreamBus botnet is hosted on the Tor network to prevent its takeover.
The threat actor behind the DreamBus botnet is likely located near Russia based on the time when the commands have been sent to the bots.
“Updates and new commands are issued that typically start around 6:00 a.m. UTC or 9:00 a.m. Moscow Standard Time (MSK) and end approximately at 3:00 p.m. UTC or 6:00 p.m. MSK,” the experts conclude. “The DreamBus threat actor continues to innovate and add new modules to compromise more systems, and regularly pushes out updates and bug fixes. The threat actor behind DreamBus is likely to continue activity for the foreseeable future hidden behind TOR and anonymous file-sharing websites. Therefore, organizations must be vigilant and take the necessary precautions to prevent infections.”
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, DreamBus botnet)