A new variant of the SystemdMiner threat dubbed DreamBus is impacting Linux servers around the globe to mine cryptocurrency.
Linux servers serve an important role in cloud-based infrastructures. This operating system is broadly used to make websites and platforms available online, as the costs to maintain these kinds of servers and licenses are less compared to Microsoft operating systems.
Recently, a new variant of the SystemdMiner threat with fresh improvements and features was released by cybercriminals. The DreamBus modules are poorly detected by security products and target enterprise-level applications running on Linux systems, including PostgreSQL, Redis, Hadoop, YARN, Apache Spark, HashiCorp Consul, SalStack and the SSH service.
Packer modification to evade analysis
DreamBus starts its operation from an ELF binary (Unix executable) responsible for setting up the environment, infecting the systems of copies of itself (worm capability), downloading new modules for spreading and deploying XMRig to mine Monero cryptocurrency.
The packer UPX is used to protect this malware, evade its analysis and reduce its size. The UPX header — UPX! (0x21585055) — is modified and replaced with the value 0x3330dddf to make hard the packer identification.
Figure 1: UPX header modified – DreamBus.
How DreamBus works