πŸ›‘ [email protected]/:~# β€‹Aug 29, 2023

🚨 #Cybersecurity Alert: DreamBus Botnet is back and exploiting a new vulnerability in RocketMQ servers (CVE-2023-33246) for remote code execution. Juniper Threat Labs reports multiple attacks installing the DreamBus malware.

Key Points:

Vulnerability Disclosure:

  • In May 2023, a vulnerability (CVE-2023-33246) was disclosed that affects RocketMQ servers and allows for remote code execution.

Exploitation by DreamBus Botnet:

  • Juniper Threat Labs detected multiple attacks exploiting this vulnerability to install the DreamBus bot, a malware strain last seen in 2021.

Attack Timeline:

  • Attacks began in early June and peaked in mid-June.
  • Attackers targeted the default port for RocketMQ (10911) and at least seven other ports.

Reconnaissance and Malicious Activities:

  • Initial attacks used an open-source tool called 'interactsh' for reconnaissance.
  • From June 19th, attackers began using a malicious bash script named "reketed" to download and execute payloads.
  • Two methods were used for payload retrieval: TOR proxy service and a specific IP address.

Technical Details:

  • The 'reketed' bash script downloads the DreamBus main module from a TOR hidden service.
  • Both 'reketed' and the DreamBus main module had zero detections on VirusTotal at the time of analysis.
  • The DreamBus main module is an ELF Linux binary packed with UPX, making static detection challenging.

Malware Capabilities:

  • The malware can perform various functions like downloading other modules and sending notifications to the server.
  • It can send requests to different paths on the TOR onion service for various actions like pinging the server, downloading and executing the main module, installing a Monero miner, and executing bash scripts.

Implications:

  • The attacks add complexity to potential forensic investigations and pose a significant threat to RocketMQ servers.

The article provides a comprehensive look into the DreamBus botnet's resurgence, its exploitation of the RocketMQ vulnerability, and the technical intricacies involved in the attacks.

Indicators of Compromise (IoCs) for DreamBus Botnet:

  • IP and Servers:

    • 92[.]204.243.155: Download Server
    • ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion: .onion Download and Control Server

  • Scripts and Miners:

    • 1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047: Bash script downloader
    • 1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d: XMRig Miner

  • DreamBus Bot Hashes:

    • 601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443
    • 153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2
    • e71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d
    • 9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f
    • 371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c
    • 21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417
    • 0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f

Source: https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability

#InfoSec #DreamBus #RocketMQ #CVE2023-33246 #reketed πŸ›‘οΈ

DreamBus Botnet Resurfaces, Targets RocketMQ vulnerability | Official Juniper Networks Blogs

In May 2023, a vulnerability affecting RocketMQ servers (CVE-2023-33246), which allows remote code execution, was publicly disclosed. In a recent blog post, Juniper Threat Labs provided a detailed explanation of

Official Juniper Networks Blogs