DreamBus botnet targets enterprise apps running on Linux servers

DreamBus botnet uses exploits and brute-force to target PostgreSQL, Redis, SaltStack, Hadoop, Spark, and others.
Written by Catalin Cimpanu, Contributor on
Image: Zscaler

Chances are that if you deploy a Linux server online these days and you leave even the tiniest weakness exposed, a cybercrime group will ensnare it as part of its botnet.

The latest of these threats is named DreamBus.

Analyzed in a report published last week by security firm Zscaler, the company said this new threat is a variant of an older botnet named SystemdMiner, first seen in early 2019.

But current DreamBus versions have received several improvements compared to initial SystemdMiner sightings [123].

Currently, the botnet targets enterprise-level apps that run on Linux systems. Targets include a wide collection of apps, such as PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service.

Some of these apps are targeted with brute-force attacks against their default administrator usernames, others with malicious commands sent to exposed API endpoints, or via exploits for older vulnerabilities.

The idea is to give the DreamBus gang a foothold on a Linux server where they could later download and install an open-source app that mines the Monero (XMR) cryptocurrency to generate profits for the attackers.

Furthermore, each of the infected servers is also used as a bot in the DreamBus operation to launch further brute-force attacks against other possible targets.

Zscaler also said that DreamBus employed quite a few measures to prevent easy detection. One of them was that all systems infected with the malware communicated with the botnet's command and control (C&C) server via the new DNS-over-HTTPS (DoH) protocol. DoH-capable malware is very rare, as it's complex to set up.

Furthermore, to prevent the C&C server from being taken down, the DreamBus gang hosted it on the Tor network; via a .onion address.

But despite all these protective measures, Zscaler's Brett Stone-Gross believes we're seeing yet another botnet birthed and operated out of Russia, or Eastern Europe.

"Updates and new commands are issued that typically start around 6:00 a.m. UTC or 9:00 a.m. Moscow Standard Time (MSK) and end approximately at 3:00 p.m. UTC or 6:00 p.m. MSK," the researcher said.

But Stone-Gross also warned companies not to take this botnet lightly. Sure, the botnet delivers a cryptocurrency miner right now, but the Zscaler researcher believes operators could easily pivot to more dangerous payloads, such as ransomware, at any time they wanted.


This Linux botnet has found a novel way of spreading to new devices

This Linux botnet has found a novel way of spreading to new devices

A tiny botnet launched the largest DDoS attack on record

A tiny botnet launched the largest DDoS attack on record

How to install Android apps on your Chromebook
The Chrome OS system tray popup.

How to install Android apps on your Chromebook