Security researchers discovered a new threat endangering Linux servers. Called DreamBus, the botnet is a new variant of a previously known malware known as SystemdMiner. It is noteworthy that DreamBus is more evolved when compared to SystemdMiner.
Zscaler researchers warn that the DreamBus botnet is targeting enterprise-level apps running on Linux systems. Some apps that are at risk include PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service.
Attack scenarios include brute-force attacks against default admin usernames, exposed API endpoints, and exploits for older vulnerabilities. “DreamBus appears to be located in Russia or Eastern Europe based on the time of deployment for new commands,” the researchers warn.
DreamBus Botnet Specifications
Zscaler says that the botnet displays worm-like behavior, thanks to which it’s spreading very successfully across the internet. It is also capable of lateral distribution through an internal network via several other methods such as exploiting weak passwords, unauthenticated, remote code execution flaws in applications such as SSH and IT admin tools, cloud-based apps, and databases.
Why are DreamBus botnet operators targeting these types of applications?
“These particular applications are targeted because they often run on systems that have powerful underlying hardware with significant amounts of memory and powerful CPUs—all of which allow threat actors to maximize their ability to monetize these resources through mining cryptocurrency,” the report explains.
What is the malicious purpose of the BreamBus botnet? In essence, the botnet is a Monero cryptocurrency miner based on XMRig. However, researchers warn that the botnet can be employed in other attack modes including ransomware and enterprise data theft.
An overview of the malware’s capabilities and characteristics include:
- A modular Linux-based botnet similar to a worm that has been around at least since early 2019;
- An ability to spread to systems that are not directly exposed to the internet by scanning private RFC 1918 subnet ranges for vulnerable systems;
- The botnet utilizes a combination of implicit trust, application-specific exploits, and weak passwords to carry out its attacks.
In 2018, security researchers discovered another Russian miner based on the XMRig software. Called WaterMiner, the malware connected to a predefined pool by having specific instructions in its configuration file.
A mining pool is a centralized node which takes a Monero blockchain block and distributes it to the connected peers for processing. When a set number of shares are returned and verified by the pool, a reward in the form of Monero cryptocurrency is wired to the designated wallet address. In the case of the malicious instance, this is the address operated by the botnet’s operators.