Analysts at Zscaler described the new DreamBus botnet, which is a variation of the SystemdMiner malware that appeared back in 2019.

The botnet mainly targets enterprise-level applications that run on Linux systems, including PostgreSQL, Redis, Hadoop YARN, Apache Spark, HashiCorp Consul, SaltStack and SSH. Some of them are targeted with brute-force attacks, during which the malware tries to use the default credentials, while others via exploits for old vulnerabilities.

The main task of DreamBus is to allow its operators to gain a foothold on the server so that they could download and install an open source miner for mining Monero cryptocurrency (XMR). In addition, some of the infected servers are used as bots to expand the botnet: to launch further brute force attacks and search for other possible targets.

Zscaler experts also noted that DreamBus is well protected from detection.

Source: xaker.ru