The WatchBog cryptocurrency-mining botnet is heavily reliant on the Pastebin website for command and control (C&C) operations, Cisco Talos’ security researchers reveal.
Active since last year, the botnet is focused on leveraging Linux-based systems to mine for the Monero virtual currency. In July, however, the malware was observed incorporating code to also scan for the BlueKeep Windows vulnerability.
WatchBog’s operators apparently claimed to be providing a security service to identify vulnerabilities in enterprise systems “before any ‘real’ hackers could do so.” However, identified vulnerable hosts would then become part of the crypto-mining botnet, which “raises serious doubts about the ‘positive’ intentions of this adversary,” Talos notes.
At installation, the threat checks for the presence of other cryptocurrency miners on the system and attempts to terminate them. It then determines whether it can write to various directories, checks the system architecture, and then makes three attempts to download and install a dropper.
Additionally, the installation script retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information, and then downloads the cryptocurrency miner. The script also checks if the ‘watchbog’ process is running and calls the ‘testa’ or ‘download’ function if it doesn’t.
Code associated with the ‘testa’ function is responsible for writing configuration data used by the mining software. The function declares three variables and also assigns base64-encoded data to each of them. The data is then decoded and written to various files.
The script downloads encoded Pastebins as a text file, gives it execution permissions and then starts the Watchbog process and deletes the text file.
The code in the ‘download’ function performs similar operations. It writes the contents retrieved from various file locations, determines the architecture of the system, installs the appropriate mining client, and executes it.
The WatchBog operators would leverage SSH to spread laterally, Talos also discovered. The script responsible for this operation retrieves the contents of the known_hosts file and attempts to SSH into those systems. It also checks for the existence of SSH keys as means of authentication into the target systems.
Open Jenkins and Redis ports on the host’s subnet were also targeted for lateral movement. The malware operators rely on cron jobs for persistence and were also observed attempting to cover their tracks by erasing or overwriting files and logs.
“Unpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the web server is deployed. […] The best way to prevent such activity would be to ensure that all enterprise web applications are up to date,” Talos notes.