DreamBus is a modular Linux-based botnet dating back to early 2019 with worm-like behavior that can spread across the internet as well as internal networks.
DreamBus uses a combination of implicit trust, application-specific exploits, and weak passwords to gain access to systems such as databases, cloud-based applications, and IT administration tools.
Infected systems are monetized by mining Monero cryptocurrency using XMRig.
In June 2023, the DreamBus malware author introduced new changes to the code to further evade detection.
The threat actor developed two new exploit modules that target vulnerabilities in Metabase (CVE-2023-38646) and Apache RocketMQ (CVE-2023-33246).
