Updated DreamBus malware targets RocketMQ vulnerability

BleepingComputer reports that ongoing attacks involving a new DreamBus botnet malware version have been targeting RocketMQ servers vulnerable to the critical remote code execution flaw, tracked as CVE-2023-33246, since June. RocketMQ servers' default 10911 port and seven other ports were initially targeted by DreamBus attacks exploiting the flaw in early June before attacks spiked in the middle of the month, according to a report from Juniper Threat Labs. After leveraging the open-source reconnaissance "interactsh" to conduct server vulnerability assessments, attackers proceeded to download the malicious bash script "reketed," which facilitated DreamBus module downloading and installation. Further examination revealed that the DreamBus module not only downloads the XMRig Monero miner and executes bash scripts but also enables lateral spread and vulnerability scanning. Moreover, threat actors could further strengthen the DreamBus campaign to conduct more varied attacks, said researchers, who urged for the immediate update of RocketMQ servers to versions 5.1.1 or later.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.