DreamBus Unleashes Metabase Mayhem With New Exploit Module Brett Stone-Gross

Introduction

Zscaler’s ThreatLabz research team has been tracking the Linux-based malware family known as DreamBus. Not much has changed in the last few years other than minor bug fixes, and slight modifications to evade detection from security software. However, in the last 6 months, the threat actor operating DreamBus has introduced two new modules to target vulnerabilities in Metabase and Apache RocketMQ. This is likely in response to a decrease in new infections stemming from exploits utilized by DreamBus, many of which are dated and have been in use for several years. DreamBus also continues to use techniques that exploit implicit trust and weak passwords including Secure Shell (SSH), IT administration tools, cloud-based applications, and databases. The primary monetization vector for DreamBus infections is still through mining Monero cryptocurrency.
Key Takeaways

DreamBus is a modular Linux-based botnet dating back to early 2019 with worm-like behavior that can spread across the internet as well as internal networks.
DreamBus uses a combination of implicit trust, application-specific exploits, and weak passwords to gain access to systems such as databases, cloud-based applications, and IT administration tools.
Infected systems are monetized by mining Monero cryptocurrency using XMRig.
In June 2023, the DreamBus malware author introduced new changes to the code to further evade detection.
The threat actor developed two new exploit modules that target vulnerabilities in Metabase (CVE-2023-38646) and Apache RocketMQ (CVE-2023-33246).

Technical Analysis

Zscaler ThreatLabz has previously analyzed DreamBus and its modules. Each DreamBus module is an Executable and Linkable Format (ELF) binary that is packed by UPX with a modified header and footer. This alteration is designed to prevent the UPX command-line tool from statically unpacking DreamBus binaries. The magic bytes UPX! (0x21585055) are typically replaced with values that change over time. In recent DreamBus samples, the UPX magic bytes have been replaced with the value .gnu (0x756e672e).

DreamBus modules all have a very similar structure. The main difference between each module is the exploit code. Each module scans for servers listening on specific ports, performs exploitation, and if successful, executes shell scripts that download the main DreamBus module, which in turn deploys XMRig to mine Monero cryptocurrency. Each exploit module creates a lock file named /tmp/.systemd.3 to ensure that only one instance is running at a time. Each exploit module scans internal RFC 1918 ranges 172.16.0.0/12, 192.168.0.0/16, and 10.0.0.0/8 as well as randomly scanning public IP ranges.

Over the last 6 months, ThreatLabz observed DreamBus deploy modules for the following applications:

Metabase (CVE-2023-38646)
RocketMQ (CVE-2023-33246)
HashiCorp Consul
Hadoop YARN
Redis
PostgreSQL
SSH

The most commonly deployed DreamBus modules target PostgreSQL. Links to the current password lists used by DreamBus to brute force Redis, PostgreSQL, and SSH credentials are provided in the Appendix.

In this blog, we analyze the two exploit modules for Metabase and RocketMQ that were added recently.

Metabase Exploit Module (CVE-2023-38646)

Metabase is a popular business intelligence tool used to analyze and visualize data. The open source versions of Metabase 0.46.6.1 and earlier, as well as Metabase Enterprise 1.46.6.1 and earlier, are vulnerable to CVE-2023-38646, which was first documented in July 2023. The vulnerability allows an attacker to execute arbitrary commands on the server. The DreamBus exploit targeting the vulnerability is likely based on an open source proof-of-concept.

The first step is to scan for Metabase servers listening on port 3000 by sending the following HTTP request:

GET /api/session/properties HTTP/1.1
Host: 127.0.0.1:3000

The DreamBus module checks the response for the string metabase.D to identify whether the server is running Metabase. This string is likely attempting to identify the metabase.DEVICE cookie value. If this string is found, DreamBus stages the exploit by writing the following content to the file /tmp/.json%s (where the format %s string is the IP address of the Metabase server).

…….`
00000020 67 75 61 67 65 22 3a 22 4a 41 56 41 22 2c 22 6f filterSe

DreamBus then executes the following bash command to send another request to the Metabase server to extract the setup token:

setup_token=$(curl -4fs %s:%d/api/session/properties