Security researchers from Zscaler's ThreatLabZ team have discovered and analyzed a new Linux-based malware family that is being used by cybercriminals to target Linux servers (opens in new tab) running enterprise apps.
The cybersecurity firm has dubbed the new malware family DreamBus and it is actually a variant of an older botnet named SytemdMiner (opens in new tab) which first appeared back in 2019. However, current versions of DreamBus feature several improvements when compared to SystemdMiner.
The DreamBus botnet is currently being used to target a number of popular enterprise apps including PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack, and the SSH service, all of which run on Linux servers.
- We've assembled a list of the best endpoint protection software (opens in new tab) around
- These are the best antivirus (opens in new tab) software solutions on the market
- Also check out our roundup of the best small business servers (opens in new tab)
While some of these apps have been targeted with brute-force attacks, others have been targeted using malicious commands sent to exposed API endpoints or by using exploits for older vulnerabilities.
DreamBus botnet
The cybercriminals deploying DreamBus are doing so with the aim of gaining a foothold on Linux servers where they can download and install an open-source app used for mining the cryptocurrency Monero (opens in new tab) (XMR). Additionally, each infected server then becomes part of the botnet,
According to Zscaler, DreamBus uses several measures to avoid being detected including the fact that the malware communicates with the botnet's command and control (C&C) server using the new DNS-over-HTTPS (DoH (opens in new tab)) protocol which is very complex to set up. The C&C server is also hosted on the Tor network (opens in new tab) using a .onion address to make it harder to take down.
Director of threat intelligence at Zscaler Brett Stone-Gross explained in a new report (opens in new tab) that finding the threat actor behind DreamBus will be difficult due to how they've hidden themselves using Tor and anonymous file-sharing websites, saying:
“While DreamBus is currently used for mining cryptocurrency, the threat actor could pivot to more disruptive activities such as ransomware. In addition, other threat groups could leverage the same techniques to infect systems and compromise sensitive information that can be stolen and easily monetized. The DreamBus threat actor continues to innovate and add new modules to compromise more systems, and regularly pushes out updates and bug fixes. The threat actor behind DreamBus is likely to continue activity for the foreseeable future hidden behind TOR and anonymous file-sharing websites.”
- We've also highlighted the best Linux distros (opens in new tab)
Via ZDNet (opens in new tab)