Two dangerous new botnets have emerged in recent days targeting Linux-based systems worldwide.
One of them, dubbed "DreamBus," is malware with worm-like behavior that is capable of propagating itself both across the Internet and laterally through compromised internal networks using a variety of techniques.
Researchers at Zscaler who recently analyzed the threat described DreamBus as a modular piece of malware targeting Linux applications running on hardware systems with powerful CPUs and large amounts of memory.
The DreamBus botnet that has been assembled from systems the malware has compromised is currently being used to deploy the XMRig CPU miner to mine Monero cryptocurrency. But the same malware can be easily repurposed to deliver other more dangerous payloads, such as ransomware and malware, for stealing and holding data at ransom, says Brett Stone-Gross, director of threat intelligence at Zscaler.
"DreamBus can deploy arbitrary modules and execute arbitrary commands on a remote system," he says. "Given the prevalence of the software applications that are targeted and the aggressive worm-like spreading techniques, the number [of compromised systems is] likely in the tens of thousands."
In its advisory, Zscaler described DreamBus as having a variety of modules for self-propagation across the Interent and corprorate networks.
The malware can spread among systems that are not exposed to the Internet by scanning non-public RFC 1918 IP address space for vulnerable Linux systems. Among the many modules the malware uses for propagation are those that exploit implict trust and weak passwords and that enable unauthenticated remote code execution on applications such as Secure Shell (SSH), cloud-based apps and databases, and administration tools. Some of the malware's ..