A vulnerability affecting Apache RocketMQ servers was publicly disclosed in May 2023, allowing remote code execution through a gateway. RocketMQ is a cloud-native platform for messaging and streaming.
The command execution vulnerability has been reported in RocketMQ affecting version 5.1.0 and below.
A remote, unauthenticated user can exploit this vulnerability by using the update configuration function to execute commands with the same access level as that of the RocketMQ user process. It has been assigned CVE-2023-33246.
Juniper Threat Labs shed light on these attacks, detecting a pattern where threat actors capitalized on the vulnerability to infiltrate systems.
Remarkably, these infiltrations culminated in installing the notorious DreamBus bot, a malware strain that re-emerged after lying dormant since 2021.
Mapping the Attack Timeline
Beginning in early June, cybercriminals launched attacks against the RocketMQ vulnerability, with the assault’s intensity peaking in mid-June.
By utilizing ‘interactsh,’ Juniper Threat labs gathered invaluable reconnaissance data while keeping their activities covert.
On June 19th, a series of attacks emerged, featuring the download and execution of a malicious bash script named “reketed.”
On the same day, threat actors exhibited two methods for retrieving and executing this shell script.
In one scenario, a TOR proxy service named “tor2web.in” facilitated anonymous downloading.
In the other, the attackers invoked a specific IP address
DreamBus’s Expanded Arsenal
The downloaded payload, the “reketed” bash script, executed with a specific hash (1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047).
Intriguingly, this file lacked VirusTotal (VT) detections at the time of analysis.
The “reketed” script orchestrated the download of the DreamBus main module from a TOR hidden service.