New cryptocurrency mining botnets for linux

Two new botnets have arisen, disrupting the environment of Linux. DreamBus and FreakOut, respectively, are the titles. The Double Dreambus acts like a worm in a related manner. It is said that, not only through the internal network but also through the Internet, it self-proliferates. It is also designed for self-proliferation with different features.

Dreambus is a module composed of Maruair, primarily targeted at hardware systems with a strong CPU and a huge amount of memory, according to a review by security firm Zscaler. It seeks to build high-performance bots targeting devices between Linux systems, and its aim is to plant malware named XMRig for cryptocurrency mining. The code used to mine Monero is the XM League. Now it ends with planting the mining code, but ransomware can be planted by later botnet operators.” This is a Gscaler warning.”

Dream Bus can run arbitrary modules and execute arbitrary commands inside the remote device for the operator’s purpose. The level of versatility is very high. In addition to this, it is fitted with a range of innovations for self-proliferation, so we estimate the number of infected devices to be tens of thousands worldwide. This is the explanation of Gscaler.

Dreambus searches for compromised Linux systems by searching the RFC 1918 IP address field to infect systems that are not connected to the Internet, according to Gscaler’s study.

Then, via a module that inserts weak codes, it tries a kind of brute force attack. It also executes remote code, specifically targeting Apache Spark, SaltStack, Hadoop YARN, and HashiCorp Consul, via SSH or cloud-based applications.

A binary made in EFL format that is distributed via SSH or HTTP download is the key element of Dreambus. The C&C infrastructure of the botnet is hosted on the Tor network. Gscaler writes that, inferred from a number of results, botnet operators tend to reside in Russia or countries of Eastern Europe.

The issue is that there is not a single initial penetration process. In several units, device intrusion functions are found.

That is by poor passwords in some ways, but in some situations, it discovers and infiltrates programs that do not need authentication. It can also disable routers for authentication. But it can be very tricky to defend.

Another harmful feature of Dreambus is the potential to maximize the number of infected computers by traveling horizontally within networks which are not linked to the public Internet. The internal network is also badly secured behind the firewall. Therefore, malicious activity in the network is always relatively easy as it passes through the firewall. The inside of the network can be captured in no time until the Dream Bus triggers the worm feature.

Security company Checkpoint, meanwhile, this week uncovered and revealed a botnet called FreakOut. It is said that it primarily attacks devices that are based on TerraMaster, a weak variant of the OS. Network data servers, mobile applications, utilities that use the Zend Platform and CMS called the Liferay Portal are the key targets for Freakout by system.

Freakout penetrates the system by exploiting several vulnerabilities.

1) CVE-2020-28188: Command injection vulnerability (Teramaster TOS)

2) CVE-2020-7961: Insecure deserialization vulnerability (

Lifey Portal) 3) CVE-2021-3007: Remote code execution vulnerability (Zend framework )

Checkpoint explains that the Freakout botnet is mostly used for DDoS attacks and mining of cryptocurrencies. Security researcher Adi Ikan says the Frickout botnet currently has over 185 servers. There are hundreds of attempts at freeze-out attacks a day, so it is predicted that this figure will rise quickly. The destruction primarily happens in the United States, Germany and the Netherlands.

Indeed, Freakout’s number of victims could rise exponentially in the future. This is because just by searching the Internet, more than 9000 servers holding the above vulnerabilities are identified.