Linux Systems Targetted By DreamBus Botnets

Enterprise Security Magazine | Tuesday, March 16, 2021

Researchers say the botnet hijack systems to mine Monero.

FREMONT, CA: Zscaler's ThreatLabz research team is pursuing a distinct botnet called DreamBus that’s installing the XMRig crypto miner on powerful enterprise-class Linux and Unix systems aiming at using their computing power to mine Monero. DreamBus offers a severe threat because of the various elements it uses to grow via the internet and the vermicular style that permits it to pass laterally once inside a targeted system. Several of the bot’s elements have earlier been identified. Based on the timestamps connected with the deployment of new rules, Zscaler considers the attackers are settled in Russia or Eastern Europe.

DreamBus uses various techniques to recognize victims. These include using various modules to hunt for targets with insecure passwords or remote code execution vulnerabilities in popular enterprise applications, as well as IT administration tools. The botnet can misuse applications that include PostgreSQL, HashiCorp Consul, Hadoop YARN, Redis, and Apache Spark. The attackers are attacking Linux-based systems since they are easier targets than Windows-based systems.

While establishing a crypto-miner is the prime objective of the attackers, once securely ensconced inside a system, the attackers have the opportunity to enhance the attack to something more treacherous. The threat actor can pivot in the future to more damaging actions such as ransomware, or removing an organization’s data. The DreamBus botnet utilizes a modular layout, with developers releasing distinct modules regularly. The researchers say most of its command-and-control elements are hosted through the TOR browser. The botnet can scan an organization's intranet to detect and contaminate devices. This is achieved by having a module that scans the internal RFC 1918 for unprotected applications.

The original spreader is an ELF binary that’s intended to diffuse through SSH. It’s accountable for establishing the necessary environment, contaminating systems with copies of itself, downloading new modules for growing, and disposing XMRig to mine Monero cryptocurrency. While this sparse adjustment breaks the UPX command-line tool, the ELF binary is still valid. This simple change may be satisfactory to circumvent some security barriers. Antivirus software often has low detection rates for DreamBus.

To ensure that the DreamBus botnet can be utilized across a variety of Unix- and Linux-based operating systems, during an attack the hackers supply downloads of different dependencies and elements if they do not exist on the jeopardized system.

Weekly Brief