VERY IMPORTANT

Zscaler’s ThreatLabz research team has been tracking the Linux-based malware family known as DreamBus. Not much has changed in the last few years other than minor bug fixes, and slight modifications to evade detection from security software. However, in the last 6 months, the threat actor operating DreamBus has introduced two new modules to target vulnerabilities in Metabase and Apache RocketMQ. This is likely in response to a decrease in new infections stemming from exploits utilized by DreamBus, many of which are dated and have been in use for several years. DreamBus also continues to use techniques that exploit implicit trust and weak passwords including Secure Shell (SSH), IT administration tools, cloud-based applications, and databases. The primary monetization vector for DreamBus infections is still through mining Monero cryptocurrency.