DreamBus: The Linux-Based Malware Targeting Business Applications

Zscaler’s ThreatLabz research team detected a formidable adversary: DreamBus. A Linux-based malware family, DreamBus has been quietly evolving, honing its capabilities to exploit vulnerabilities in business applications.

DreamBus, initially identified in early 2019, has demonstrated a worm-like ability to spread across both internet and internal networks. It’s known for leveraging a combination of implicit trust, application-specific exploits, and weak passwords to infiltrate systems, particularly focusing on databases, cloud applications, and IT administration tools.

The primary goal of Linux-based DreamBus malware is the monetization of infected systems through Monero cryptocurrency mining, using XMRig. This reflects a growing trend among cybercriminals to harness the computational resources of compromised systems for financial gain.

Image Credit: Juniper Threat Labs

In a bid to remain elusive, DreamBus has introduced changes to its code, particularly in mid-2023. These updates are aimed at further evading detection and demonstrating the malware’s adaptive nature.

Notably, DreamBus has developed two new exploit modules targeting recent vulnerabilities in Metabase (CVE-2023-38646) and Apache RocketMQ (CVE-2023-33246). This shift indicates a strategic adaptation to target emerging weaknesses in popular business platforms.

DreamBus’s capability to target a range of applications, including PostgreSQL, HashiCorp Consul, Hadoop YARN, Redis, and SSH, poses a significant threat to organizations worldwide. Its preference for PostgreSQL indicates a strategic focus on data-rich environments.

DreamBus’s evolution underscores the need for robust cybersecurity measures. Organizations must prioritize securing applications, enforcing strong passwords, multi-factor authentication, and deploying network and endpoint monitoring systems to detect potential compromises.