This new botnet is targeting Linux servers running enterprise apps

botnet
(Image credit: Shutterstock / Jaiz Anuar)

Security researchers from Zscaler's ThreatLabZ team have discovered and analyzed a new Linux-based malware family that is being used by cybercriminals to target Linux servers running enterprise apps.

The cybersecurity firm has dubbed the new malware family DreamBus and it is actually a variant of an older botnet named SytemdMiner which first appeared back in 2019. However, current versions of DreamBus feature several improvements when compared to SystemdMiner.

The DreamBus botnet is currently being used to target a number of popular enterprise apps including PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service, all of which run on Linux servers.

While some of these apps have been targeted with brute-force attacks, others have been targeted using malicious commands sent to exposed API endpoints or by using exploits for older vulnerabilities.

DreamBus botnet

The cybercriminals deploying DreamBus are doing so with the aim of gaining a foothold on Linux servers where they can download and install an open-source app used for mining the cryptocurrency Monero (XMR). Additionally, each infected server then becomes part of the botnet,

According to Zscaler, DreamBus uses several measures to avoid being detected including the fact that the malware communicates with the botnet's command and control (C&C) server using the new DNS-over-HTTPS (DoH) protocol which is very complex to set up. The C&C server is also hosted on the Tor network using a .onion address to make it harder to take down.

Director of threat intelligence at Zscaler Brett Stone-Gross explained in a new report that finding the threat actor behind DreamBus will be difficult due to how they've hidden themselves using Tor and anonymous file-sharing websites, saying:

“While DreamBus is currently used for mining cryptocurrency, the threat actor could pivot to more disruptive activities such as ransomware. In addition, other threat groups could leverage the same techniques to infect systems and compromise sensitive information that can be stolen and easily monetized. The DreamBus threat actor continues to innovate and add new modules to compromise more systems, and regularly pushes out updates and bug fixes. The threat actor behind DreamBus is likely to continue activity for the foreseeable future hidden behind TOR and anonymous file-sharing websites.” 

Via ZDNet

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Pro
cybersecurity
What's the right type of web hosting for me?
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
This top WordPress plugin could be hiding a worrying security flaw, so be on your guard
construction
Building in the digital age: why construction’s future depends on scaling jobsite intelligence
Latest in News
L-mount alliance
Sirui joins L-Mount Alliance to deliver its superb budget lenses for Leica, DJI, Sigma and Panasonic cameras
Security padlock and circuit board to protect data
Trust in digital services around the world sees a massive drop as security worries continue
Samuel and Romy standing very close together in A24's Babygirl movie
Everything new on Max in April 2025, including A24's Babygirl and The Last of Us season 2
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
AMD’s secret weapon against Nvidia seems to be stock – way more RX 9070 GPUs are rumored to be hitting shelves than RTX 5000 models
Hacker silhouette working on a laptop with North Korean flag on the background
North Korea unveils new military unit targeting AI attacks
Seth Milchick and Kier Eagan's animatronic speaking in Severance season 2 episode 10
Apple TV+ announces Severance has been renewed for season 3 after that devastating finale