DreamBus Botnet Exploiting RCE Flaw in Apache RocketMQ Servers

by Esmeralda McKenzie
DreamBus Botnet Exploiting RCE Flaw in Apache RocketMQ Servers

DreamBus Botnet Exploiting RCE Flaw in Apache RocketMQ Servers

DreamBus Botnet RocketMQ Servers

A vulnerability affecting Apache RocketMQ servers became once publicly disclosed in Could 2023, allowing remote code execution thru a gateway. RocketMQ is a cloud-native platform for messaging and streaming.

The inform execution vulnerability has been reported in RocketMQ affecting version 5.1.0 and beneath.

A remote, unauthenticated person can exploit this vulnerability by utilizing the replace configuration characteristic to create commands with the identical gain admission to stage as that of the RocketMQ person path of. It has been assigned CVE-2023-33246.

Juniper Menace Labs shed gentle on these attacks, detecting a sample the put threat actors capitalized on the vulnerability to infiltrate programs.

Remarkably, these infiltrations culminated in installing the notorious DreamBus bot, a malware force that re-emerged after lying dormant since 2021.

Mapping the Assault Timeline

Origin in early June, cybercriminals launched attacks against the RocketMQ vulnerability, with the assault’s intensity peaking in mid-June.

6dkaybOFRONZIt6WqJLA vHaGJx6nR3U6Y3AZfOpclgtBlB9v1CCPvJHMyc54h8hrJjpa XSRPPiOXOjKSVSQ8vCiEDSaAtID5T
Timeline of Most up-to-date RocketMQ Attacks Noticed by Juniper Menace Labs.

By utilizing ‘interactsh,’ Juniper Menace labs gathered actually handy reconnaissance files whereas conserving their actions covert.

On June nineteenth, a series of attacks emerged, that consists of the gain and execution of a malicious bash script named “reketed.”

On the identical day, threat actors exhibited two solutions for retrieving and executing this shell script.

In a single scenario, a TOR proxy carrier named “tor2web.in” facilitated anonymous downloading.

IWlThYi2r6BuajK6AbA9Au78CJlSzgKO4fMZ9gkcSk 4XPGc4IRnRnByJbUlqc8N7ovUcV 5vq4atjPtyt5zGoKeSCBorYDSgxe FP2ryMbMUEcX5XR98CbBWw 2GZ0PVl08CvdcARrZdE0XegFMgUI

In the opposite, the attackers invoked a insist IP take care of

F4jwAPb dUpk 0CanLw1WmIdJw38MVP4u7VLD1ekaVURho aFJZ0pdAf pJEt2TiTlu59zuqgavEYVm4N6ZyBH9dRL8Uav

DreamBus’s Expanded Arsenal

The downloaded payload, the “reketed” bash script, accomplished with a insist hash (1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047).

Intriguingly, this file lacked VirusTotal (VT) detections at the time of diagnosis.

The “reketed” script orchestrated the gain of the DreamBus predominant module from a TOR hidden carrier.

(DreamBus botnet is a malware that delivers a cryptocurrency miner to infected computers).

The DreamBus predominant module, an ELF binary, surfaced after a a hit gain.

It posed challenges with its modified UPX headers, foiling the ragged UPX unpacking path of.

Upon deciphering, the module became once published to create diversified base64 encoded strings, every corresponding to obvious functionalities.

Decoding the base64 strings unveiled a bash script identical to “reketed,” endowed with various capabilities.

These scripts orchestrated diversified functions, from downloading modules to mining Monero cryptocurrency.

They navigated the advanced TOR community, forging paths appreciate “/ping,” “/mine,” and “/cmd1.”

The Web of Persistence and Monero Mining

To make certain sustained presence, the DreamBus malware employed a multi-pronged arrangement.

Timer products and companies, cron jobs, and automatic IT tools fueled its persistence, allowing cybercriminals to have their foothold.

Additionally, the malware introduced Monero cryptocurrency mining, XMRig, thru TOR, perpetuating their inappropriate dreams.

The symbiotic relationship between the RocketMQ vulnerability and the DreamBus bot underscores the inherent dangers of unpatched programs.

Source credit : cybersecuritynews.com

Related Posts