DreamBus Botnet Exploiting RCE Flaw in Apache RocketMQ Servers

A vulnerability affecting Apache RocketMQ servers was publicly disclosed in May 2023, allowing remote code execution through a gateway. RocketMQ is a cloud-native platform for messaging and streaming.

The command execution vulnerability has been reported in RocketMQ affecting version 5.1.0 and below.

A remote, unauthenticated user can exploit this vulnerability by using the update configuration function to execute commands with the same access level as that of the RocketMQ user process. It has been assigned CVE-2023-33246. 

Juniper Threat Labs shed light on these attacks, detecting a pattern where threat actors capitalized on the vulnerability to infiltrate systems. 

Remarkably, these infiltrations culminated in installing the notorious DreamBus bot, a malware strain that re-emerged after lying dormant since 2021.

Mapping the Attack Timeline

Beginning in early June, cybercriminals launched attacks against the RocketMQ vulnerability, with the assault’s intensity peaking in mid-June. 

By utilizing ‘interactsh,’ Juniper Threat labs gathered invaluable reconnaissance data while keeping their activities covert.

On June 19th, a series of attacks emerged, featuring the download and execution of a malicious bash script named “reketed.” 

On the same day, threat actors exhibited two methods for retrieving and executing this shell script. 

In one scenario, a TOR proxy service named “tor2web.in” facilitated anonymous downloading. 

In the other, the attackers invoked a specific IP address

DreamBus’s Expanded Arsenal

The downloaded payload, the “reketed” bash script, executed with a specific hash (1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047). 

Intriguingly, this file lacked VirusTotal (VT) detections at the time of analysis. 

The “reketed” script orchestrated the download of the DreamBus main module from a TOR hidden service.

(DreamBus botnet is a malware that delivers a cryptocurrency miner to infected computers).

The DreamBus main module, an ELF binary, surfaced after a successful download. 

It posed challenges with its modified UPX headers, foiling the traditional UPX unpacking process.

Upon deciphering, the module was revealed to execute numerous base64 encoded strings, each corresponding to distinct functionalities.

Decoding the base64 strings unveiled a bash script similar to “reketed,” endowed with diverse capabilities. 

These scripts orchestrated various functions, from downloading modules to mining Monero cryptocurrency. 

They navigated the complex TOR network, forging paths like “/ping,” “/mine,” and “/cmd1.”

The Web of Persistence and Monero Mining

To ensure sustained presence, the DreamBus malware employed a multi-pronged approach. 

Timer services, cron jobs, and automated IT tools fueled its persistence, allowing cybercriminals to maintain their foothold. 

Additionally, the malware introduced Monero cryptocurrency mining, XMRig, through TOR, perpetuating their nefarious objectives.

The symbiotic relationship between the RocketMQ vulnerability and the DreamBus bot underscores the inherent dangers of unpatched systems.

Source: https://cybersecuritynews.com/dreambus-botnet-rocketmq-servers/