WatchDog botnet targets Windows and Linux servers in cryptomining campaign

Pierluigi Paganini February 18, 2021

PaloAlto Network warns of the WatchDog botnet that uses exploits to take over Windows and Linux servers and mine cryptocurrency.

Security researchers at Palo Alto Networks uncovered a cryptojacking botnet, tracked as WatchDog, that is targeting Windows and Linux systems.

WatchDog is one of the largest and longest-lasting Monero cryptojacking operations uncovered by security experts, its name comes from the name of a Linux daemon called watchdogd. The WatchDog botnet has been active at least since Jan. 27, 2019 and already mined at least 209 Monero (XMR), valued to be around $32,056 USD.

Palo Alto experts determined that at least 476 systems were compromised by the botnet, mainly Windows and NIX cloud instances, which were involved in mining operations.

The botnet is written in the Go programming language, it is the work of skilled coders.

The bot targets outdated enterprise apps using 33 different exploits to exploit 32 vulnerabilities. Below the list of exploits used by the bot:

  • CCTV exploit
    • It is currently unknown if the target is a CCTV appliance or if there is another moniker “cctv” could stand for.
  • Drupal
    • Versions 7 and 8.
  • Elasticsearch
    • CVE-2015-1427 (Elasticsearch sandbox evasion – version before 1.3.8 and 1.4.x before 1.4.3)
    • CVE-2014-3120 (Elasticsearch before 1.2)
  • Apache Hadoop
  • PowerShell
    • Encoded command-line operations.
  • Redis
  • Spring Data Commons
    • CVE-2018-1273, versions prior to 1.13-1.13.10, 2.0-2.0.5
  • SQL Server
  • ThinkPHP
    • Versions 5.x, 5.10, 5.0.23
  • Oracle WebLogic Server
    • CVE-2017-10271 – versions,, and

The analysis of the config.json files allowed the experts to identify three XMR wallet addresses:

  • 43zqYTWj1JG1H1idZFQWwJZLTos3hbJ5iR3tJpEtwEi43UBbzPeaQxCRysdjYTtdc8aHao7csiWa5BTP9PfNYzyfSbbrwoR
  • 82etS8QzVhqdiL6LMbb85BdEC3KgJeRGT3X1F3DQBnJa2tzgBJ54bn4aNDjuWDtpygBsRqcfGRK4gbbw3xUy3oJv7TwpUG4
  • 87q6aU1M9xmQ5p3wh8Jzst5mcFfDzKEuuDjV6u7Q7UDnAXJR7FLeQH2UYFzhQatde2WHuZ9LbxRsf3PGA8gpnGXL3G7iWMv

The above XMR wallets addresses are used with at least three public mining pools and one private mining pool to process mining operations.

Maltego chart of the WatchDog miner operation (Palo Alto Networks)

“It is clear that the WatchDog operators are skilled coders and have enjoyed a relative lack of attention regarding their mining operations. While there is currently no indication of additional cloud compromising activity at present (i.e. the capturing of cloud platform IAM credentials, access ID, or keys), there could be potential for further cloud account compromise. It is highly likely these actors could find IAM-related information on the cloud systems they have already compromised, due to the root and administrative access acquired during the implantation of their cryptojacking software.” concludes Palo Alto.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment