Dreambot malware operation goes silent

Dreambot backend servers have gone down and no new samples have been spotted for weeks.
Written by Catalin Cimpanu, Contributor
Image: Jon Tyson

The Dreambot malware botnet appears to have gone silent and possibly shut down, according to a report published today by the CSIS Security Group, a cyber-security firm based in Copenhagen, Denmark.

The company is reporting that the Dreambot's backend servers have gone down in March; about the same time when the cybersecurity community also stopped seeing new Dreambot samples distributed in the wild.

"The lack of new features? The multiplication of new Gozi variants? The huge rise of Zloader? COVID-19? We can't be sure exactly what was the cause of death, but more and more indicators point at the end of Dreambot," said Benoit Ancel, malware analyst at the CSIS Security Group.

What was Dreambot?

The malware's apparent death puts an end to a six-year-old "career" on the cybercrime landscape.

Dreambot was first spotted in 2014. It was created on top of the leaked source code of the older Gozi ISFB banking trojan, one of the most reused pieces of malware today.

Just like any Gozi-based trojan, Dreambot's primary function was to inject malicious content inside browsers and facilitate the theft of banking credentials and the execution of unauthorized financial transactions.

Initial versions contained very few features, but the malware evolved into a more complex strain as time went by.

With time, Dreambot received new features, such as Tor-hosted command and control servers, a keylogging capability, the ability to steal browser cookies and data from email clients, a screenshoting feature, the ability to record a victim's screen, a bootkit module, and a VNC remote access feature -- just to name the most important.


Typical Dreambot control panel

Image: Benoit Ancel, CSIS Group

Furthermore, Dreambot also evolved from a private malware botnet into what's called a Cybercrime-as-a-Service (CaaS).

As a CaaS, the Dreambot creators would advertise access to their botnet on hacking and malware forums. Other crooks could buy access to a part of Dreambot's infrastructure and a version of the Dreambot malware, which they'd be responsible for distributing to victims. Dreambot "customers" would infect victims, steal funds, and pay the Dreambot gang a weekly, momthly, or yearly fee.

More than one million infections in 2019 alone

CSIS says this model appears to have been successful. "We counted more than a million [Dreambot] infections worldwide just for 2019," Ancel said.

However, the CSIS researcher also says that in recent years, Dreambot evolved from being just a banking trojan. More specifically, it evolved from a specialized banking trojan into a generic trojan.

Criminal gangs would rent access to the Dreambot cybercrime machine, but not use it to steal money from bank accounts.

Instead, they'd infect a large number of computers, and then inspect each target, looking for specific computers. For example, CSIS said it has seen criminal groups use Dreambot to infect systems and look for computers running Point-of-Sale software, to deploy ransomware on corporate networks, to orchestrate BEC fraud, or order goods from hijacked e-shopping accounts (eBay, Amazon, etc.).

In this case, Dreambot's evolution from a highly-specialized banking trojan into a generic "malware loader" mirrors what we've seen happening to Dridex, TrickBot, or Emotet -- other former banking trojans that have evolved into services that rent access to hacked computers.

At the time of writing, Dreambot operators have not been publicly identified and remain at large. The reason for this entire cybercrime platform's current disappearance also remains a mystery.

With the operators at large, Dreambot's return remains a possibility.

The most dangerous iOS, Android malware and smartphone vulnerabilities of 2019

Editorial standards