Home Malware Programs Botnets WatchBog

WatchBog

Posted: September 16, 2019

WatchBog is a cryptocurrency-mining Trojan that propagates through software vulnerabilities and associated tactics. The WatchBog botnet includes both Windows and Linux support and may abuse system resources for creating currency for the attacker automatically. Users should update all software as a preventative step and have anti-malware products ready for removing WatchBog once it's detected.

A Brutal Mistake in Hiring Network Services

A threat actor is making money off of hiring its services out as a security-probing test for concerned enterprise-level companies. While, creatively, the criminals are making use of software vulnerabilities, just as they claim, they also are exploiting the advantageous position for running WatchBog. This Trojan delivers both network-compromising and cryptocurrency-mining features, thereby converting their customers' servers into raw money.

Although malware experts are confirming WatchBog's long-term activity since 2018, newer updates to the Trojan broaden its system compatibilities. Previously, it only was active on Linux, but new versions include Windows compatibility, enabled with the help of BlueKeep: CVE–2019-0708, an RDP protocol vulnerability. Through it and other weaknesses like CVE-2019-0192 and CVE-2019-11581, the Trojan travels laterally throughout entire networks, recruiting new systems as it goes.

WatchBog, like many cryptocurrency-miners, prefers Monero and uses a Pastebin infrastructure for some of its mining config values. In the past, malware experts also took notice of similar Pastebin exploitations in campaigns for Godlua, RevengeRAT, and even the Hidden Tear spinoff of the KratosCrypt Ransomware. Offloading the C&C work to another service limits the threat actor's investment and, also, can help with concealing the unsafe activity from network monitoring services.

Watching Out for WatchBog's Infection Efforts

Businesses with the funding to earn the 'enterprise' label shouldn't require any forewarning about the risks of running out-of-date software. Outdated Web applications and other programs are at risk from attacks like those of WatchBog, both via social engineering tactics and by automated methods like port scanners. Always install patches for your applications as they're available. BlueKeep affects Windows 2000 up to Windows Server 2008, along with Windows 7, but is patchable.

Some cryptocurrency-miners can cause noticeable performance problems, including, in the extremes, hardware overheating. However, a threat actor also may prefer low-maintenance mining operations that don't disrupt the user's experience. Even system error logs are uncertain means of identifying WatchBog; its threat actor has a history of wiping or editing this system information for removing evidence.

Updated anti-malware services should find and remove WatchBog as a threat, like all cryptocurrency-mining Trojans, regardless of the environment. Victims should, in the meantime, monitor unusual network activity, especially, for open Jenkins and Redis ports.

WatchBog is a straightforward con that uses a believable excuse for working its way into a system before opening the door wide for revenue generation. Forgetting a patch, or depending on a poorly-vetted company to check your version control for you, is a fast track to being someone else's Monero piggy bank.

Loading...