Dreambot Malware Operation Goes Silent Ending Botnet's Malicious Activities

The Dreambot malware, which is a botnet threat, seems to be shut down at the moment, according to a CSIS Security Group report, a cybersecurity company based in Denmark. The company reported that the Dreambot backend servers were down in March. It was around the same time when the community stopped seeing new Dreambot samples being distributed.

Benoit Ancel, a malware analyst for CSIS Security Group, mentioned he is unsure of the cause of the 'cause of death' of the botnet. Possible causes listed included the lack of new features, multiplication of new Gozi variants, or even the pandemic itself.

Dreambot Activities Span Back to 2014

The malware's alleged disappearance so far puts an end to a six-year-long reign in the landscape of cybercrime. Dreambot was noticed in the wild for the first time in 2014, made from leaked source code of the Gozi ISFB banking Trojan. Much like other Gozi-based Trojans, Dreambot aims to inject malicious content into browsers, stealing banking credentials, and executing unauthorized transactions. The first versions had a scant few features, but soon the malware evolved into a sophisticated threat.

In time Dreambot got new features, including Tor-hosted command and control servers, the ability to steal cookies and email client data, keylogging, screenshotting, a VNC remote access feature, and a bootkit module among others. Dreambot evolved further from being a privately owned botnet to following a cybercrime-as-a-service model.

As this new approach was adopted, the Dreambot creators were advertising their access to the botnet on malware and hacking forums. Other criminals were able to buy a part of the Dreambot infrastructure and a version of the malware, which made it possible to distribute to victims. People buying the service would have the chance to infect victims, steal money, meanwhile paying the Dreambot creators a subscription fee.

There Were More Than a Million Infections in 2019

CSIS mentioned this model appeared to work for the people behind Dreambot since the infections were growing in 2019. CSIS also saw that in recent years Dreambot was evolving beyond its banking Trojan origins. It was moving on to become a general-purpose Trojan, instead of targeting banks specifically. Criminals would rent Dreambot, but not for stealing money from bank accounts.

What they would do instead is infect a large number of computers, then inspecting them in search of a specific target among the infected. CSIS mentioned they had seen criminals using Dreambot to infect systems and to look for any computers running point-of-sale software. They were also using the ransomware to infect corporate networks, as well as for BEC fraud and ordering goods from hijacked accounts on websites like Amazon and eBay.

Dreambot's evolution to a generic malware loader is something that happened to other threats like Emotet, Dridex, and Trickbot. Those were banking Trojans that eventually evolved into services rented to access hacked computers. The Dreambot operators have not been identified yet and remain out there. Chances are there may be a resurgence of the malware in the near future, should they decide to make a move.