Pierluigi Paganini July 25, 2019

Experts at Intezer researchers have spotted a strain of the Linux mining that also scans the Internet for Windows RDP servers vulnerable to the Bluekeep.

Researchers at Intezer have discovered a new variant of WatchBog, a Linux-based cryptocurrency mining botnet, that also includes a module to scan the Internet for Windows RDP servers vulnerable to the Bluekeep vulnerability (CVE-2019-0708).

“We have discovered a new version of WatchBog—a cryptocurrency-mining botnet operational since late 2018—that we suspect has compromised more than 4,500 Linux machines in newer campaigns taking place since early June.” reads a blog post published by Intezer.

“Among the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to third party vendors for profit.”

The vulnerability, tracked as CVE-2019-0708, impacts the Windows Remote Desktop Services (RDS) and was addressed by Microsoft with May 2019 Patch Tuesday updates.

As explained by Microsoft, this vulnerability could be exploited by malware with wormable capabilities, it could be exploited without user interaction, making it possible for malware to spread in an uncontrolled way into the target networks.

In May, Internet scans found nearly one million systems vulnerable to the BlueKeep flaw.

The new variant of the malware is currently undetected by most of the antivirus firms, the incorporation of the BlueKeep scanner suggests that operators would explore financial opportunities on Windows platforms too.

The BlueKeep scanner implemented in the WatchBog scans the Internet for vulnerable systems and submits the RC$-encrypted list of RDP hosts, to servers controlled by its operators.

The new WatchBog variant, actively distributed since June. has already infected more than 4,500 Linux machines.

The new WatchBog variant includes a new spreader module along with exploits for the following recently patched vulnerabilities in Linux applications:

• CVE-2019-11581 (Jira)
• CVE-2019-10149 (Exim)
• CVE-2019-0192 (Solr)
• CVE-2018-1000861 (Jenkins)
• CVE-2019-7238 (Nexus Repository Manager 3)

The malware also includes scanners for Jira and Solr flaws along with Brute-forcing module for CouchDB and Redis installs.

“Once a vulnerable service is discovered to which exists an exploit module, the binary spreads itself by invoking the right exploit and installing a malicious bash script hosted on Pastebin.” continues the analysis.

“We were able to find an early test version of the spreader module uploaded to HybridAnalysis, including an exploit to Solr CVE-2019-0192, an exploit to ActiveMQ CVE-2016-3088, and a module utilizing a technique to gain code execution over cracked Redis instances”

Once discovered a vulnerable system, the WatchBog deploys a script on the targeted machine to download and execute a Monero miner from Pastebin.

The script gains persistence on the target system via crontab and downloads a new spreader module in the form of a dynamically linked Cython-compiled ELF executable. Experts pointed out that Python malware can become harder to analyze if it is deployed natively with engines such as Cython.

Intezer experts recommend updating software to its latest version, Linux users can check for the presence of WatchBog by verifying the existence of the “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” file.

Pierluigi Paganini

(SecurityAffairs – WatchBog, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]