RocketMQ Vulnerability Exploited by DreamBus Malware

DreamBus Malware
Image: Juniper Threat Labs

May 2023 will long be remembered in the cybersecurity community, not just as the month a critical vulnerability (CVE-2023-33246) was disclosed in Apache RocketMQ, but for the troubling aftermath it ignited.

RocketMQ, a reputable player in the world of message queuing systems, came under scrutiny due to a major flaw in its architecture. Present in versions up to 5.1.0, this vulnerability could potentially let remote unauthorized users hijack the system. They can easily manipulate the configuration update function to execute commands at the RocketMQ user access level. With RocketMQ’s multiple components exposed over the internet, this weakness posed a massive risk.

Image: Juniper Threat Labs

Juniper Threat Labs, in early June, detected a wave of attacks targeting this vulnerability. The assaults hit their peak by mid-June, targeting not just RocketMQ’s default port (10911) but seven others as well.

Initial incursions were more exploratory than destructive. Threat actors deployed ‘interactsh,’ an open-source reconnaissance tool, to scan server vulnerabilities, staying under the radar while gathering valuable intelligence.

But by June 19th, the nature of the attacks took a sinister turn. Malicious scripts, notably one named “reketed,” were deployed. This was fetched via two methods: one using the anonymity of the TOR network via a proxy, and the other directly from an IP address.

Upon successful execution, “reketed” downloads the DreamBus main module from a TOR hidden service. The downloaded binary has been smartly designed to evade detection. It is encrypted and packed with UPX, and its headers and footers have been tampered with to resist unpacking.

Once the DreamBus module is downloaded and executed, it swiftly cleans up traces of its presence, making subsequent forensic analysis challenging. Static analysis revealed it contained numerous encoded strings which, when decoded, resemble the original “reketed” script. This script’s versatility includes fetching other malware modules using different paths on a TOR onion service.

Juniper’s research unearthed DreamBus malware’s advanced functionalities. It can alert its control server about its various activities, terminate processes related to outdated versions of itself, and even spread laterally across a network. For this lateral movement, it leverages IT automation tools like ansible, knife, salt, and pssh.

Furthermore, it extracts host data from various files to spread its malicious footprint. A significant discovery was DreamBus retrieving XMRig, a Monero cryptocurrency miner program, designed for mining purposes. This reveals the primary objective of the malicious actors: Monero cryptocurrency mining.

DreamBus malware ensures its presence on the infected system isn’t short-lived. It uses a blend of service setups and cron jobs, scheduled hourly, to ensure consistent execution of its payload.

While DreamBus’s primary goal seems to revolve around cryptocurrency mining, its modular structure suggests that the malware could be further weaponized to deliver a range of payloads. It’s evident that its creators prioritize exploiting fresh vulnerabilities, such as RocketMQ’s CVE-2023-33246.

In light of these revelations, it’s imperative for organizations to prioritize patch management processes. Ensuring systems are updated promptly is the frontline defense against threats like DreamBus malware and potential future attacks.