DreamBus Botnet Description
Linux and Unix systems are under threat from a new powerful botnet named DreamBus. Researchers estimated that tens of thousands of systems might have been already compromised. One key factor contributing to DreamBus' potency is its worm-like capabilities to spread both through the Internet and laterally once inside the victim's private network. For now, the threat actor is content with deploying a crypto-miner payload, which also explains the preference towards infecting systems with powerful hardware components such as a beefy CPU and larger amounts of available memory. While the campaign has not been attributed to a specific hacker group, researchers analyzed the timestamps of the commands being sent to DreamBus and concluded that the cybercriminals are most likely either from Russia or an Eastern European country.
DreamBus is Highly Modular
The threat is built with a modular design that allows the threat actor to roll out new modules steadily, increasing DreamBus' capabilities. The main component is contained in an Executable and Linkable Format (ELF) file that can spread copies of itself through either Secure Shell (SSH) or downloaded via HTTP. The binary is tasked with preparing the environment of the infected system for further escalation of the attack, deploying additional modules for spreading, and delivering the final payload - an XMRig malware that hijacks the resources of the compromised system to mine Monero coins.
The botnet's lateral movement across devices not directly facing the public Internet is achieved through a module that scans the internal RFC 1918 IP address space for vulnerable targets that match the criteria of the attack. Other propagation modules exploit weak passwords, as well as remote code execution vulnerabilities on a range of popular applications, including SSH, administration tools and cloud-based databases. The threat targets Apache Spark, Hadoop YARN, HashiCorp Consul and SaltStack specifically. The Command-and-Control infrastructure for the operations is hosted on the TOR network and on anonymous file-sharing services that use HTTP.
The infosec experts who analyzed DreamBus warn that the end goal of the threatening operation could be evolved easily from delivering a crypto miner to deploying a far more threatening malware. The threat actor could switch to a ransomware payload or a data exfiltration tool.