Pierluigi Paganini September 13, 2019

A new cryptocurrency-mining botnet tracked as WatchBog is heavily using the Pastebin service for command and control (C&C) operations.

Cisco Talos researchers discovered a new cryptocurrency-mining botnet tracked as WatchBog is heavily using the Pastebin service for command and control.

The WatchBog bot is a Linux-based malware that is active since last year, it targets systems to mine for the Monero virtual currency.

“Cisco Incident Response (CSIRS) recently responded to an incident involving the Watchbog cryptomining botnet. The attackers were able to exploit CVE-2018-1000861 to gain a foothold and install the Watchbog malware on the affected systems.” states the analysis published by Cisco Talos.

“This Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an accurate understanding of the attacker’s intentions and abilities on a customer’s network by analyzing the various Pastebins.”

Recently, experts at Intezer researchers have spotted a strain of the Linux mining that also scans the Internet for Windows RDP servers vulnerable to the Bluekeep.

The new WatchBog variant includes a new spreader module along with exploits for the following recently patched vulnerabilities in Linux applications:

• CVE-2019-11581 (Jira)
• CVE-2019-10149 (Exim)
• CVE-2019-0192 (Solr)
• CVE-2018-1000861 (Jenkins)
• CVE-2019-7238 (Nexus Repository Manager 3)

The malware also includes scanners for Jira and Solr flaws along with Brute-forcing module for CouchDB and Redis installs.

The operators behind the WatchBog botnet claim to be able to identify vulnerabilities in enterprise systems “before any ‘real’ hackers could do so,” and offer their protection services. However, every time the operators identify vulnerable hosts, the systems are recruited in the crypto-mining botnet,

“During the investigation, Cisco IR found signs of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about the “positive” intentions of this adversary.” continues Talos.

During the installation phase, the bot checks for running processes associated with other cryptocurrency miners, then it will use a script to terminate them.

Then determines whether it can write to various directories, checks the system architecture, and then makes three attempts to download and install a ‘kerberods’ dropper using wget or curl. .

The installation script also retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information, then it downloads the miner. The script also checks if the ‘watchbog‘ process is running, if it is not founb, the ‘testa‘ or ‘download’ functions are called to install the version of the miner that match the target architecture.

The ‘testa‘ function is used to facilitate the infection process, is responsible for writing the various configuration data used by the miner.

The script downloads encoded Pastebins as a text file and gives it execution permissions. The script finally starts the Watchbog process and deletes the text file.

The ‘download’ function performs similar operations by writing the contents retrieved from various file locations, once determined the target architecture it installs the appropriate miner.

The WatchBog uses SSH for lateral movements, a specific script also checks for the existence of SSH keys into the target systems in the attempt to use it while targeting other systems.

Talos researchers also noticed that threat actors leverage a Python script that scans for open Jenkins and Redis ports on the host’s subnet for lateral movement. Attackers also rely on cron jobs to achieve persistence and attempt to cover their tracks by erasing or overwriting files and logs.

“Unpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the web server is deployed.” concludes the report. “The best way to prevent such activity would be to ensure that all enterprise web applications are up to date,” Talos notes.

Pierluigi Paganini

(SecurityAffairs – WatchBog, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]