2 min Security

DreamBus botnet targets servers running on Linux

DreamBus botnet targets servers running on Linux

The new threat is a variant on previous malware from 2019.

Zscaler’s ThreatLabZ research team have recently identified a new Linux-based malware family. They announced their findings in a “Technical Analysis” published last week on Zscaler’s website.

The researchers have named their new finding the DreamBus Botnet.

The malware is a variant of SystemdMiner, which consists of a series of Executable and Linkable Format (ELF) binaries and Unix shell scripts, they say. The researchers identified some components of the botnet dating back to early 2019.

The botnet is highly effective and difficult to detect

Security products do a poor job of detecting many of the DreamBus modules, according to Zscaler. They explain that this is partly because Linux-based malware is less common than Windows-based malware. Because it is a rare occurrence, such threats receive less scrutiny from the security community.

Zscaler points out, however, that many critical business systems run on Linux systems. Malware that is able to gain access to these systems can cause significant disruption and irreparable harm to organizations that fail to secure their servers properly, they warn.

The DreamBus malware exhibits worm-like behavior that is highly effective in spreading, according to the analysis. This is due its multifaceted approach to propagating itself across the internet and laterally through an internal network using a variety of methods.

DreamBus targets security weaknesses and specific applications

These techniques include numerous modules that exploit various weaknesses. Such exploitable factors include implicit trust, weak passwords, and unauthenticated remote code execution (RCE) vulnerabilities in popular applications.

According to the researchers, the targeted applications include Secure Shell (SSH), IT administration tools, a variety of cloud-based applications, and databases. The botnet targets these particular applications because they often run on systems that have powerful underlying hardware with significant amounts of memory and powerful CPUs, they say.

How DreamBus attackers monetize their exploits

All of those factors allow threat actors to maximize their ability to monetize these resources through mining cryptocurrency. The primary DreamBus malware payload is XMRig, an open source Monero cryptocurrency miner. However, the Zscaler analysts warn that the threat actor can potentially pivot in the future.

Such a pivot would allow DreamBus to carry out more destructive activities, such as ransomware or stealing an organization’s data and holding it hostage, they say.

Tip: Zscaler: ‘Cloud security has more advantages than traditional VPN’