Security Experts:

Connect with us

Hi, what are you looking for?



WatchBog Crypto-Mining Botnet Relies on Pastebin for C&C

The WatchBog cryptocurrency-mining botnet is heavily reliant on the Pastebin website for command and control (C&C) operations, Cisco Talos’ security researchers reveal.

The WatchBog cryptocurrency-mining botnet is heavily reliant on the Pastebin website for command and control (C&C) operations, Cisco Talos’ security researchers reveal.

Active since last year, the botnet is focused on leveraging Linux-based systems to mine for the Monero virtual currency. In July, however, the malware was observed incorporating code to also scan for the BlueKeep Windows vulnerability.

The botnet mainly targets known vulnerabilities, such as Jenkins’ CVE-2018-1000861, Jira’s CVE-2019-11581, Exim’s CVE-2019-10149, and Solr’s CVE-2019-0192.

WatchBog’s operators apparently claimed to be providing a security service to identify vulnerabilities in enterprise systems “before any ‘real’ hackers could do so.” However, identified vulnerable hosts would then become part of the crypto-mining botnet, which “raises serious doubts about the ‘positive’ intentions of this adversary,” Talos notes.

At installation, the threat checks for the presence of other cryptocurrency miners on the system and attempts to terminate them. It then determines whether it can write to various directories, checks the system architecture, and then makes three attempts to download and install a dropper.

Additionally, the installation script retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information, and then downloads the cryptocurrency miner. The script also checks if the ‘watchbog’ process is running and calls the ‘testa’ or ‘download’ function if it doesn’t.

Code associated with the ‘testa’ function is responsible for writing configuration data used by the mining software. The function declares three variables and also assigns base64-encoded data to each of them. The data is then decoded and written to various files.

The script downloads encoded Pastebins as a text file, gives it execution permissions and then starts the Watchbog process and deletes the text file.

The code in the ‘download’ function performs similar operations. It writes the contents retrieved from various file locations, determines the architecture of the system, installs the appropriate mining client, and executes it.

The WatchBog operators would leverage SSH to spread laterally, Talos also discovered. The script responsible for this operation retrieves the contents of the known_hosts file and attempts to SSH into those systems. It also checks for the existence of SSH keys as means of authentication into the target systems.

Open Jenkins and Redis ports on the host’s subnet were also targeted for lateral movement. The malware operators rely on cron jobs for persistence and were also observed attempting to cover their tracks by erasing or overwriting files and logs.

“Unpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the web server is deployed. […] The best way to prevent such activity would be to ensure that all enterprise web applications are up to date,” Talos notes.

Related: Crypto-Mining Botnet Implements BlueKeep Scanner

Related: Jenkins Vulnerability Exploited to Deliver ‘Kerberods’ Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.