Cisco Talos researchers discovered a new
The WatchBog bot is a Linux-based malware that
“Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog
“This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker’s intentions and abilities on a customer’s network by analyzing the various Pastebins.”
The new WatchBog variant includes a new spreader module along with exploits for the following recently patched vulnerabilities in Linux applications:
The malware also includes scanners for Jira and Solr flaws along with Brute-forcing module for CouchDB and Redis installs.
The operators behind the WatchBog
“During the investigation, Cisco IR found signs of hosts becoming a part of a separate
During the installation phase, the bot checks for running processes associated with other
Then determines whether it can write to various directories, checks the system architecture, and then makes three attempts to download and install a ‘kerberods’ dropper using wget or curl. .
The installation script also retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information, then it downloads the miner. The script also checks if the ‘
The script downloads encoded Pastebins as a text file and gives it execution permissions. The script finally
The ‘download’ function performs similar operations by writing the contents retrieved from various file locations, once determined the target architecture it installs the appropriate miner.
The WatchBog uses SSH for lateral movements, a specific script also checks for the existence of SSH keys into the target systems in the attempt to use it while targeting other systems.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.