Security Experts:

Connect with us

Hi, what are you looking for?



WatchBog Crypto-Mining Botnet Relies on Pastebin for C&C

The WatchBog cryptocurrency-mining botnet is heavily reliant on the Pastebin website for command and control (C&C) operations, Cisco Talos’ security researchers reveal.

The WatchBog cryptocurrency-mining botnet is heavily reliant on the Pastebin website for command and control (C&C) operations, Cisco Talos’ security researchers reveal.

Active since last year, the botnet is focused on leveraging Linux-based systems to mine for the Monero virtual currency. In July, however, the malware was observed incorporating code to also scan for the BlueKeep Windows vulnerability.

The botnet mainly targets known vulnerabilities, such as Jenkins’ CVE-2018-1000861, Jira’s CVE-2019-11581, Exim’s CVE-2019-10149, and Solr’s CVE-2019-0192.

WatchBog’s operators apparently claimed to be providing a security service to identify vulnerabilities in enterprise systems “before any ‘real’ hackers could do so.” However, identified vulnerable hosts would then become part of the crypto-mining botnet, which “raises serious doubts about the ‘positive’ intentions of this adversary,” Talos notes.

At installation, the threat checks for the presence of other cryptocurrency miners on the system and attempts to terminate them. It then determines whether it can write to various directories, checks the system architecture, and then makes three attempts to download and install a dropper.

Additionally, the installation script retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information, and then downloads the cryptocurrency miner. The script also checks if the ‘watchbog’ process is running and calls the ‘testa’ or ‘download’ function if it doesn’t.

Code associated with the ‘testa’ function is responsible for writing configuration data used by the mining software. The function declares three variables and also assigns base64-encoded data to each of them. The data is then decoded and written to various files.

The script downloads encoded Pastebins as a text file, gives it execution permissions and then starts the Watchbog process and deletes the text file.

The code in the ‘download’ function performs similar operations. It writes the contents retrieved from various file locations, determines the architecture of the system, installs the appropriate mining client, and executes it.

The WatchBog operators would leverage SSH to spread laterally, Talos also discovered. The script responsible for this operation retrieves the contents of the known_hosts file and attempts to SSH into those systems. It also checks for the existence of SSH keys as means of authentication into the target systems.

Open Jenkins and Redis ports on the host’s subnet were also targeted for lateral movement. The malware operators rely on cron jobs for persistence and were also observed attempting to cover their tracks by erasing or overwriting files and logs.

“Unpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the web server is deployed. […] The best way to prevent such activity would be to ensure that all enterprise web applications are up to date,” Talos notes.

Related: Crypto-Mining Botnet Implements BlueKeep Scanner

Related: Jenkins Vulnerability Exploited to Deliver ‘Kerberods’ Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...