Cisco Talos researchers discovered a new
The WatchBog bot is a Linux-based malware that
“Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog
“This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker’s intentions and abilities on a customer’s network by analyzing the various Pastebins.”
The new WatchBog variant includes a new spreader module along with exploits for the following recently patched vulnerabilities in Linux applications:
The malware also includes scanners for Jira and Solr flaws along with Brute-forcing module for CouchDB and Redis installs.
The operators behind the WatchBog
“During the investigation, Cisco IR found signs of hosts becoming a part of a separate
During the installation phase, the bot checks for running processes associated with other
Then determines whether it can write to various directories, checks the system architecture, and then makes three attempts to download and install a ‘kerberods’ dropper using wget or curl. .
The installation script also retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information, then it downloads the miner. The script also checks if the ‘
The script downloads encoded Pastebins as a text file and gives it execution permissions. The script finally
The ‘download’ function performs similar operations by writing the contents retrieved from various file locations, once determined the target architecture it installs the appropriate miner.
The WatchBog uses SSH for lateral movements, a specific script also checks for the existence of SSH keys into the target systems in the attempt to use it while targeting other systems.