DreamBus, FreakOut Botnets Pose New Threat to Linux Systems

Researchers from Zscaler and Check Point describe botnets as designed for DDoS attacks, cryptocurrency mining, and other malicious purposes.

Two dangerous new botnets have emerged in recent days targeting Linux-based systems worldwide.

One of them, dubbed "DreamBus," is malware with worm-like behavior that is capable of propagating itself both across the Internet and laterally through compromised internal networks using a variety of techniques.

Related Content:

APT Groups Set Sights on Linux Targets: Inside the Trend

Special Report: Understanding Your Cyber Attackers

New From The Edge: Hacker Pig Latin: A Base64 Primer for Security Analysts

Researchers at Zscaler who recently analyzed the threat described DreamBus as a modular piece of malware targeting Linux applications running on hardware systems with powerful CPUs and large amounts of memory.

The DreamBus botnet that has been assembled from systems the malware has compromised is currently being used to deploy the XMRig CPU miner to mine Monero cryptocurrency. But the same malware can be easily repurposed to deliver other more dangerous payloads, such as ransomware and malware, for stealing and holding data at ransom, says Brett Stone-Gross, director of threat intelligence at Zscaler.

"DreamBus can deploy arbitrary modules and execute arbitrary commands on a remote system," he says. "Given the prevalence of the software applications that are targeted and the aggressive worm-like spreading techniques, the number [of compromised systems is] likely in the tens of thousands."

In its advisory, Zscaler described DreamBus as having a variety of modules for self-propagation across the Interent and corprorate networks.

The malware can spread among systems that are not exposed to the Internet by scanning non-public RFC 1918 IP address space for vulnerable Linux systems. Among the many modules the malware uses for propagation are those that exploit implict trust and weak passwords and that enable unauthenticated remote code execution on applications such as Secure Shell (SSH), cloud-based apps and databases, and administration tools. Some of the malware's application-specific exploits include those targeting Apache Spark, SaltStack, Hadoop YARN, and HashiCorp Consul.

DreamBus' main component is a binary in Executable and Linkable Format (ELF) that can spread over SSH or is downloaded over HTTP. The botnet's command-and-control infrastructure is hosted on the TOR network and on anonymous file-sharing services that leverage the HTTP protocol, according to Zscaler. Available telemetry suggests the botnet operators are based in Russia or an East European country, Zscaler said.

"There is no single initial attack vector since each component is capable of compromising a system," Stone-Gross says. Most of the vulnerabilities that are exploited are either weak passwords or an application vulnerability where authentication is either not required — implicit trust — or can easily be bypassed such as SaltStack.

One key feature of DreamBus is that it can spread laterally in an internal network that is not publicly accessible, Stone-Gross says.  

"Systems behind a corporate firewall are often not as well protected because individuals may incorrectly assume that only other employees have access to the network," he says.

FreakOut Botnet
Meanwhile, Check Point earlier this week said it had observed a botnet, which it dubbed "FreakOut," targeting systems running vulnerable versions of the TerraMaster operating system for network attached storage servers, web apps and services using the Zend Framework, and the Liferay Portal CMS.

The malware is designed to exploit a newly disclosed vulnerablity in each of the three technologies: a command injection flaw in TerraMaster TOS (CVE-2020-28188), an insecure deserialization bug in Liferay Portal (CVE-2020-7961), and a remote code execution flaw in the Zend Framework (CVE-2021-3007).

Machines that the malware has compromised have been assembled into a botnet that is being used in distributed denial-of-service (DDoS_ attacks and for cryptomining purposes, Check Point said.

Adi Ikan, a security researcher at Check Point, says the company has direct evidence of more than 185 infected servers that are currently part of the FreakOut botnet. Check Point researchers have also observed hundreds of other additional attack attempts, most of which have been in the US and, to a lesser extent, European countries such as Germany and The Netherlands.

"Based on our sensors, there are more than 9,000 servers that are vulnerable to those vulnerabilities and are also exposed to the Internet," Ikan says. The fact that the attacker is targeting very new vulnerabilities in each of three Linux technologies is significant because it highlights the importance of addressing security issues quickly.

"The malware associated with this campaign is well-equipped with its capabilities [and is designed] to conduct various malicious activities," Ikan says.