Safety researchers from Zscaler’s ThreatLabZ staff have found and analyzed a brand new Linux-based malware household that’s being utilized by cybercriminals to focus on Linux servers operating enterprise apps.
The cybersecurity agency has dubbed the brand new malware household DreamBus and it’s really a variant of an older botnet named SytemdMiner which first appeared again in 2019. Nevertheless, present variations of DreamBus function a number of enhancements when in comparison with SystemdMiner.
The DreamBus botnet is at present getting used to focus on quite a few standard enterprise apps together with PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service, all of which run on Linux servers.
Whereas a few of these apps have been focused with brute-force assaults, others have been focused utilizing malicious instructions despatched to uncovered API endpoints or through the use of exploits for older vulnerabilities.
DreamBus botnet
The cybercriminals deploying DreamBus are doing so with the intention of gaining a foothold on Linux servers the place they’ll obtain and set up an open-source app used for mining the cryptocurrency Monero (XMR). Moreover, every contaminated server then turns into a part of the botnet,
In response to Zscaler, DreamBus makes use of a number of measures to keep away from being detected together with the truth that the malware communicates with the botnet’s command and management (C&C) server utilizing the brand new DNS-over-HTTPS (DoH
) protocol which could be very advanced to arrange. The C&C server can be hosted on the Tor network utilizing a .onion tackle to make it tougher to take down.
Director of menace intelligence at Zscaler Brett Stone-Gross defined in a new report that discovering the menace actor behind DreamBus can be troublesome attributable to how they’ve hidden themselves utilizing Tor and nameless file-sharing web sites, saying:
“Whereas DreamBus is at present used for mining cryptocurrency, the menace actor may pivot to extra disruptive actions comparable to ransomware. As well as, different menace teams may leverage the identical strategies to contaminate programs and compromise delicate info that may be stolen and simply monetized. The DreamBus menace actor continues to innovate and add new modules to compromise extra programs, and frequently pushes out updates and bug fixes. The menace actor behind DreamBus is prone to proceed exercise for the foreseeable future hidden behind TOR and nameless file-sharing web sites.”
By way of ZDNet
