Security researchers from Zscaler's ThreatLabZ team have discovered and analyzed a new family of Linux-based malware that cybercriminals use to attack Linux servers running business applications. The cybersecurity company dubbed the new malware family DreamBus and it is actually a variation of an older botnet called SytemdMiner that first appeared in 2019. However, current versions of DreamBus include several improvements over SystemdMiner. The DreamBus botnet is currently used to target a number of popular enterprise applications, including PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service, all of which run on Linux servers. While some of these applications have been attacked with brute force attacks, others have been attacked using malicious commands sent to exposed API endpoints or using exploits for previous vulnerabilities.
DreamBus Zombie Network
Cybercriminals deploying DreamBus do so in an effort to gain a foothold on Linux servers, where they can download and install an open source application used to mine the Monero (XMR) cryptocurrency. In addition, each infected server is part of the botnet. According to Zscaler, DreamBus uses several measures to avoid detection, including having the malware communicate with the botnet's command and control (C&C) server using the new DNS-over-protocol. HTTPS (DoH), which is very complex to configure. The C&C server is also hosted on the Tor network using an .onion address to make it more difficult to remove. Zscaler's director of threat intelligence, Brett Stone-Gross, explained in a new report that it will be difficult to find the threat actor behind DreamBus because of the way they have been hiding using Tor. and anonymous file-sharing websites, which say: “While DreamBus is currently being used for cryptocurrency mining, the threat actor could turn to more disruptive activities such as ransomware. Furthermore, other threat groups could use the same techniques to infect systems and compromise sensitive information that can be easily stolen and monetized. The DreamBus threat actor continues to innovate and add new modules to compromise more systems, releasing updates and bug fixes regularly. The threat actor behind DreamBus is likely to continue to operate for the foreseeable future, hiding behind TOR and anonymous file-sharing websites. via ZDNet