DreamBus Botnet exploits Apache RocketMQ Vulnerability to mine Cryptocurrency

published: Aug. 31, 2023

Take action: Time to run an inventory on your systems and check if any are using RocketMQ. Every one of these systems that's exposed to the internet is a high priority for patching, so chase down the vendor for an updated version. Or lock down the system in an internal network until a patch is available.

Learn More

DreamBus botnet has been observed exploiting a recently patched vulnerability in Apache RocketMQ. The primary objective of these attacks is to deploy a cryptocurrency miner onto compromised systems.

Apache RocketMQ serves as a widely utilized platform for distributed messaging and streaming, that runs on a lot of custom products including some networking equipment. The vulnerability is tracked as CVE-2023-33246. This vulnerability came to public attention in late May when RocketMQ version 5.1.1 was issued to address the security flaw. The severity of CVE-2023-33246 has been classified as 'critical', enabling unauthorized attackers to remotely execute commands.

In June, comprehensive details and proof-of-concept (PoC) exploits for the vulnerability was published and real-world exploitation quicklu followed.

Juniper Networks reported that they identified attacks leveraging CVE-2023-33246 as starting in early June, reaching a peak later that month, and attributing these attacks to the DreamBus botnet.

The attackers' strategy involved seeking out vulnerable RocketMQ server and disseminate a malicious bash script intended to download the main component of the DreamBus malware. DreamBus is a strain of Linux malware that initially surfaced in early 2019, had remained dormant since 2021 until its recent resurgence.

Although the central goal of the DreamBus threat actors continues to be the installation of a Monero cryptocurrency miner, the versatile nature of the DreamBus malware, equipped with the ability to execute bash scripts, grants the cybercriminals the potential to diversify their attacks. Juniper underscores this point by noting that the malware could potentially be employed for deploying a range of other malicious software.

DreamBus Botnet exploits Apache RocketMQ Vulnerability to mine Cryptocurrency