Researchers at Intezer have discovered a new variant of WatchBog, a Linux-based cryptocurrency mining botnet, that also includes a module to scan the Internet for Windows RDP servers vulnerable to the Bluekeep vulnerability (CVE-2019-0708).
“We have discovered a new version of WatchBog—a cryptocurrency-mining botnet operational since late 2018—that we suspect has compromised more than 4,500 Linux machines in newer campaigns taking place since early June.” reads a blog post published by Intezer.
“Among the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that
As explained by Microsoft, this vulnerability could be exploited by malware with
The new variant of the malware is currently undetected by most of the antivirus firms, the incorporation of the BlueKeep scanner suggests that operators would explore financial opportunities on Windows platforms too.
The BlueKeep scanner implemented in the WatchBog scans the Internet for vulnerable systems and submits the RC$-encrypted list of RDP hosts, to servers controlled by its operators.
The malware also includes scanners for Jira and Solr flaws along with Brute-forcing module for CouchDB and Redis installs.
“Once a vulnerable service is discovered to which exists an exploit module, the binary spreads itself by invoking the right exploit and installing a malicious bash script hosted on Pastebin.” continues the analysis.
“We were able to find an early test version of the spreader module uploaded to
Once discovered a vulnerable system, the WatchBog deploys a script on the targeted machine to download and execute a Monero miner from Pastebin.
The script gains persistence
Intezer experts recommend updating software to its latest version, Linux users can check for the presence of WatchBog by verifying the existence of the “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.