The most recent iteration of the DreamBus botnet malware is taking use of a severe remote code execution vulnerability in RocketMQ servers. The CVE-2023-33246 issue affects RocketMQ versions 5.1.0 and earlier and might allow attackers to remotely execute commands under certain conditions.
DreamBus Malware: Stealthy RocketMQ Attack and Monero Mining
Researchers from Juniper Threat Labs saw a rise in activity around mid-June 2023, which led them to discover this assault. Attackers exploited the vulnerability by targeting additional ports in addition to the default 10911 port of RocketMQ and used the ‘interactsh’ application for spying. A malware bash script dubbed “reketed” was installed and saved via a Tor site in order to evade antivirus detection.
This script includes specialized UPX packaging to further assure covert operations, and it was used to download and install the main DreamBus module (ELF file). The module executed a wide range of encrypted scripts for tasks including indicating online status, installing a Monero miner, executing other scripts, or obtaining a new batch of malware. By setting up a system service and cron process that ran every hour, DreamBus was able to continue to live.
Despite having a modular architecture that could enable future expansion, DreamBus seems to be primarily focused on Monero mining. Hackers might possibly gain access to confidential conversational data through the communication capabilities of RocketMQ servers. For the purpose of preventing these attacks, RocketMQ administrators are urged to upgrade to version 5.1.1 or later. Additionally, it is crucial to maintain patch management across all software products to combat the bigger DreamBus threat, which has already affected numerous software products like Redis, PostgreSQL, Hadoop YARN, and others.