This new botnet is targeting Linux servers running enterprise apps

botnet
(Image credit: Shutterstock / Jaiz Anuar)

Security researchers from Zscaler's ThreatLabZ team have discovered and analyzed a new Linux-based malware family that is being used by cybercriminals to target Linux servers (opens in new tab) running enterprise apps.

The cybersecurity firm has dubbed the new malware family DreamBus and it is actually a variant of an older botnet named SytemdMiner (opens in new tab) which first appeared back in 2019. However, current versions of DreamBus feature several improvements when compared to SystemdMiner.

The DreamBus botnet is currently being used to target a number of popular enterprise apps including PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service, all of which run on Linux servers.

While some of these apps have been targeted with brute-force attacks, others have been targeted using malicious commands sent to exposed API endpoints or by using exploits for older vulnerabilities.

DreamBus botnet

The cybercriminals deploying DreamBus are doing so with the aim of gaining a foothold on Linux servers where they can download and install an open-source app used for mining the cryptocurrency Monero (opens in new tab) (XMR). Additionally, each infected server then becomes part of the botnet,

According to Zscaler, DreamBus uses several measures to avoid being detected including the fact that the malware communicates with the botnet's command and control (C&C) server using the new DNS-over-HTTPS (DoH (opens in new tab)) protocol which is very complex to set up. The C&C server is also hosted on the Tor network (opens in new tab) using a .onion address to make it harder to take down.

Director of threat intelligence at Zscaler Brett Stone-Gross explained in a new report (opens in new tab) that finding the threat actor behind DreamBus will be difficult due to how they've hidden themselves using Tor and anonymous file-sharing websites, saying:

“While DreamBus is currently used for mining cryptocurrency, the threat actor could pivot to more disruptive activities such as ransomware. In addition, other threat groups could leverage the same techniques to infect systems and compromise sensitive information that can be stolen and easily monetized. The DreamBus threat actor continues to innovate and add new modules to compromise more systems, and regularly pushes out updates and bug fixes. The threat actor behind DreamBus is likely to continue activity for the foreseeable future hidden behind TOR and anonymous file-sharing websites.” 

Via ZDNet (opens in new tab)

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.