Dreambus is a botnet active since at least 2020, known to be quite adept at exploiting vulnerabilities and misconfigurations in multiple applications in order to gain initial access to publicly exposed Linux servers. Their preferred attack surface includes PostgreSQL, Hashicorp Consul, RocketMQ, Hadoop, Redis, and other popular software. The operators behind this activity appear to be financially motivated, as infections result in cryptojacking (hijacking of the infected workload for illicit cryptomining operations).
DreamBus displays characteristics akin to a worm, and possesses the capability to infiltrate systems that aren't directly exposed to the internet by scanning private RFC 1918 subnet ranges, seeking out vulnerabilities.
DreamBus relies on a blend of implicit trust, specific application exploits, and weak passwords to breach systems like databases, cloud-based applications, and various IT administration tools.
Currently, the botnet's profit-making scheme involves the utilization of infected systems to mine Monero cryptocurrency through XMRig.
The geographical location of the threat actor behind DreamBus seems to point toward Russia or Eastern Europe, inferred from the timing of new command deployments.