Botnet Targeting Windows, Linux Servers For Two Years

Home/Ransomware, Targeted Attacks/Botnet Targeting Windows, Linux Servers For Two Years

    Botnet Targeting Windows, Linux Servers For Two Years

    WatchDog botnet performs cryptojacking for almost 2 years to take over windows and linux servers.

    Daemon — WatchDog:

    botnet is a number of Internet-connected devices, each of which is running one or more bots.

    In addition, botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection.

    Now, recently due to increase in cryptocurrency trading Unit42 discovered botnet operation named WatchDog.

    Unfortunately, researchers also found that the operation has been active since January 2019.

    WatchDog Functionality

    The operation written in of a three-part Go Language binary set and a bash or PowerShell script file.

    Firstly,  The binaries perform specific functionality, one of which emulates the Linux watchdog daemon functionality by ensuring that the mining process does not hang, overload or terminate unexpectedly.

    Secondly, Go binary downloads a configurable list of IP addresses net ranges before providing the functionality of targeted exploitation operations of identified NIX or Windows systems discovered during the scanning operation. 

    Finally, the third Go binary script will initiate a mining operation on either Windows or NIX operating systems (OS) using custom configurations from the initiated bash or PowerShell script.

    In short, researchers say “they’ve seen WatchDog infect both Windows and Linux systems.”

    Affected Products:

    According to an analysis of the WatchDog botnet operations published on Wednesday, Unit 42 estimated the size of the botnet to be around 500 to 1,000 infected systems.

    Also, researchers said the botnet operators used 33 different exploits to target 32 vulnerabilities in software such as:

    • Drupal
    • Elasticsearch
    • Apache Hadoop
    • Redis
    • Spring Data Commons
    • SQL Server
    • ThinkPHP
    • Oracle WebLogic
    • CCTV (currently unknown if the target is a CCTV appliance or if there is another moniker “cctv” could stand for).

    In addition, WatchDog usually runs with admin privileges and could perform a credentials scan & dump without any difficulty, if its creators ever wished to.

    No Data Loss

    Importantly, researchers highlighted that WatchDog is not yet on par with recent crypto-mining botnets like TeamTNT and Rocke.

    Which in recent months have added capabilities that allow them to extract credentials for AWS and Docker systems from infected servers, according to ZDNet article.

    However, to protect systems against this new threat Unit42 team warns to update old vulnerabilities which is only a few keystrokes away for the WatchDog attackers.

    Indicators of Compromise

    IP Addresses

    39.100.33[.]209
    45.153.240[.]58
    45.9.148[.]37
    93.115.23[.]117
    95.182.122[.]199
    106.15.74[.]113
    107.173.159[.]206
    146.71.79[.]230
    185.181.10[.]234
    185.232.65[.]124
    185.232.65[.]191
    185.232.65[.]192
    185.247.117[.]64
    198.98.57[.]187
    199.19.226[.]117
    204.44.105[.]168
    205.209.152[.]78
    208.109.11[.]21

    Domains

    de.gengine[.]com.de
    de.gsearch[.]com.de
    global.bitmex[.]com.de
    ipzse[.]com
    py2web[.]store
    sjjjv[.]xyz
    us.gsearch[.]com.de

    URL Addresses

    hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/bsh.sh
    hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/config.json
    hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/sysupdate
    hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/update.sh
    hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/config.json
    hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/networkservice
    hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/sysguard
    hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/sysupdate
    hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/update.sh
    hxxp://176.123.10[.]57/cf67356/config.json
    hxxp://176.123.10[.]57/cf67356/networkmanager
    hxxp://176.123.10[.]57/cf67356/newinit.sh
    hxxp://176.123.10[.]57/cf67356/phpguard
    hxxp://176.123.10[.]57/cf67356/zzh
    hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/config.json
    hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/networkservice
    hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/sysguard
    hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/sysupdate
    hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/update.sh
    hxxp://185.232.65[.]124/update.sh
    hxxp://185.232.65[.]191/cf67356/config.json
    hxxp://185.232.65[.]191/cf67356/newinit.sh
    hxxp://185.232.65[.]191/cf67356/zzh
    hxxp://185.232.65[.]191/config.json
    hxxp://185.232.65[.]191/trace
    hxxp://185.232.65[.]191/update.sh
    hxxp://185.232.65[.]192/cf67356/networkmanager
    hxxp://185.232.65[.]192/cf67356/phpguard
    hxxp://185.232.65[.]192/config.json
    hxxp://185.232.65[.]192/trace
    hxxp://185.247.117[.]64/cf67356/config.json
    hxxp://185.247.117[.]64/cf67356/networkmanager
    hxxp://185.247.117[.]64/cf67356/newdat.sh
    hxxp://185.247.117[.]64/cf67356/phpguard
    hxxp://185.247.117[.]64/cf67356/phpupdate
    hxxp://198.98.57[.]187/config.json
    hxxp://198.98.57[.]187/trace
    hxxp://198.98.57[.]187/update.sh
    hxxp://204.44.105[.]168:66/config.json
    hxxp://204.44.105[.]168:66/networkmanager
    hxxp://204.44.105[.]168:66/newdat.sh
    hxxp://204.44.105[.]168:66/phpguard
    hxxp://204.44.105[.]168:66/phpupdate
    hxxp://205.209.152[.]78:8000/sysupdate
    hxxp://205.209.152[.]78:8000/update.sh
    hxxp://209.182.218[.]161:80/363A3EDC10A2930D/config.json
    hxxp://209.182.218[.]161:80/363A3EDC10A2930D/networkservice
    hxxp://209.182.218[.]161:80/363A3EDC10A2930D/sysguard
    hxxp://209.182.218[.]161:80/363A3EDC10A2930D/sysupdate
    hxxp://209.182.218[.]161:80/363A3EDC10A2930D/update.sh
    hxxp://39.100.33[.]209/b2f628/config.json
    hxxp://39.100.33[.]209/b2f628/newinit.sh
    hxxp://39.100.33[.]209/b2f628/zzh
    hxxp://39.100.33[.]209/b2f628fff19fda999999999/is.sh
    hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/config.json
    hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/networkservice
    hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/sysguard
    hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/sysupdate
    hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/update.sh
    hxxp://45.9.148[.]37/cf67356a3333e6999999999/1.0.4.tar.gz
    hxxp://45.9.148[.]37/cf67356a3333e6999999999/config.json
    hxxp://45.9.148[.]37/cf67356a3333e6999999999/is.sh
    hxxp://45.9.148[.]37/cf67356a3333e6999999999/networkmanager
    hxxp://45.9.148[.]37/cf67356a3333e6999999999/newdat.sh
    hxxp://45.9.148[.]37/cf67356a3333e6999999999/phpguard
    hxxp://45.9.148[.]37/cf67356a3333e6999999999/phpupdate
    hxxp://47.253.42[.]213/b2f628/config.json
    hxxp://47.253.42[.]213/b2f628/newinit.sh
    hxxp://47.253.42[.]213/b2f628/zzh
    hxxp://82.202.66[.]50/cf67356/config.json
    hxxp://82.202.66[.]50/cf67356/networkmanager
    hxxp://82.202.66[.]50/cf67356/newinit.sh
    hxxp://82.202.66[.]50/cf67356/phpguard
    hxxp://82.202.66[.]50/cf67356/zzh
    hxxp://83.97.20[.]90/cf67356/config.json
    hxxp://83.97.20[.]90/cf67356/networkmanager
    hxxp://83.97.20[.]90/cf67356/newinit.sh
    hxxp://83.97.20[.]90/cf67356/phpguard
    hxxp://83.97.20[.]90/cf67356/zzh
    hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/config.json
    hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/networkservice
    hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/sysguard
    hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/sysupdate
    hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/update.sh
    hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/config.json
    hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/networkservice
    hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/Saltmin.sh
    hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/sysupdate
    hxxp://95.182.122[.]199/init.sh
    hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/config.json
    hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/is.sh
    hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/networkmanager
    hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/newdat.sh
    hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/phpguard
    hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/phpupdate
    hxxp://py2web[.]store/7356a3333e6999999999/networkmanager
    hxxp://py2web[.]store/7356a3333e6999999999/phpguard
    hxxp://py2web[.]store/cf67356/config.json
    hxxp://py2web[.]store/cf67356/newinit.sh
    hxxp://py2web[.]store/cf67356/zzh
    hxxp://xmr.ipzse[.]com:66/bd.sh
    hxxp://xmr.ipzse[.]com:66/config.json
    hxxp://xmr.ipzse[.]com:66/is.sh
    hxxp://xmr.ipzse[.]com:66/networkmanager
    hxxp://xmr.ipzse[.]com:66/newdat.sh
    hxxp://xmr.ipzse[.]com:66/phpguard
    hxxp://xmr.ipzse[.]com:66/phpupdate
    hxxp://xmr.ipzse[.]com:66/rs.sh
    hxxps://de.gengine[.]com[.]de/api/config.json
    hxxps://de.gengine[.]com[.]de/api/networkservice
    hxxps://de.gengine[.]com[.]de/api/sysguard
    hxxps://de.gengine[.]com[.]de/api/sysupdate
    hxxps://de.gengine[.]com[.]de/api/update.sh
    hxxps://de.gsearch[.]com[.]de/api/config.json
    hxxps://de.gsearch[.]com[.]de/api/networkservice
    hxxps://de.gsearch[.]com[.]de/api/sysguard
    hxxps://de.gsearch[.]com[.]de/api/sysupdate
    hxxps://de.gsearch[.]com[.]de/api/update.sh
    hxxps://sjjjv[.]xyz/sysupdate
    hxxps://sjjjv[.]xyz/update.sh
    hxxps://us.gsearch[.]com[.]de/api/config.json
    hxxps://us.gsearch[.]com[.]de/api/networkservice
    hxxps://us.gsearch[.]com[.]de/api/sysguard
    hxxps://us.gsearch[.]com[.]de/api/sysupdate
    hxxps://us.gsearch[.]com[.]de/api/update.sh

    Files

    SHA-256Filename
    0a48bd0d41052c1e3138d558fc06ebde8d6f15b8d866200b8f00b214a73eb5b9config.json
    0c4aa6afd2a81fd15f3bd65adcbd4f649fbc58ef12dd2d528125435169555901update.sh
    1f65569b77f21f47256db339700b4ff33b7570e44e1981b5c213b7b2e65b0f6cnetworkmanager
    2b52288383588f65803a5dc9583171103be79f0b196d01241b5cd3a8cf69b190networkservice
    2eeac2b9577047a9eef2d164c13ace5e826ac85990a3a915871d6b0c2fc8fe67update.sh
    2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625edupdate.sh
    37492d1897f77371f2eb431b9be7c861b81e97f04a091d8c6d63719171eda2acrs.sh
    3ab7cf786eeb23ebd11e86e0fc48b0a9b37a427d5d730d774c9ed8d98a925c6fsysupdate
    43d7b29668786731f1bbbb3ae860487e84604195b186c1b7b253f99156d7f57asysguard
    49366ae4766492d94136ca1f715a37554aa6243686c66bf3c6fbb9da9cb2793dnewinit.sh
    51de345f677f46595fc3bd747bfb61bc9ff130adcbec48f3401f8057c8702af9tar.gz
    55c92d64ffa9d170e340e0528dc8ea1fa9be98f91db891869947c5b168a728c8networkmanager
    55dd539d8fe94648294e91df89b005f1dba330b432ceda25775963485bae7defconfig.json
    67d0f77adf98ac34a6db78110c78652a9b7f63e22ae5ab7df4f57d3413e48822phpguard
    68cedf2a018c0830655dc9bb94aadf6492ab31196cbc83ceb44defae0a02d3dcconfig.json
    6a7109481e113fd92ff98534e780f47a32b64bfa5692f7bd7da33c84033a9028sysguard
    758dbfda2b7d2e97caba294089c4c836ab447d7c9ceef510c667526fd873e161phpguard
    80b1a70d7ec5d1944787afff3c2feac3aa40ec8c64177886481d96623bc786bfconfig.json
    818c16d1921572ffee6853c16c5c9158d2f217b6adbb5154cbb7daf945db493cupdate.sh
    82815c61402cfc0edd6ce3be37848259711ef07e3391e74c85fbdaa676d95c0cis.sh
    849f86a8fd06057eeb1ae388789881516239282dd4cb079b8281f995035874e1newinit.sh
    895e994dafaa00009a46f3b56ca0d563e066a14e77f5030b1331fc9b3f9f6478networkservice
    96fe63c25e7551a90051431aeddb962f05d82b7dd2940c0e8e1282273ba81e22newinit.sh
    a322dc6af6fed1326b04ec966e66b68dd8ef22374edd286569710afc65ccc741newinit.sh
    ac719447894b2f5029f493c7395d128f710a3ba7b31c199558f3ee00fb90ea12networkmanager
    ad05d09e6ed4bd09fe1469e49885c5169458635a1a33f2579cb7caa221b43fcenewdat.sh
    b6a5790a9bfaf159af68c4dbb09de9c2c0c2371c886fdb28223d40e6984b1dd7config.json
    bd3506b86452d46d395b38aa807805097da1291c706318b5fe970fe4b20f5406config.json
    c67881c1f05477939b8964ad26f1a467762a19c2c7d1a1656b338d8113ca1ac1phpguard
    c8ca3ab0ae00a1bf197086370ab5994264ac5bc1fcf52b2ddf8c9fcacc4402ff1.0.4.tar
    d54157bb703b360bb911363d9bb483a2ee00ee619d566d033a8c316f06cf26cczzh
    d6cf2d54e3bb564cb15638b58d2dd124ae7acd40e05af42d1bdc0588a8d5211dnetworkmanager
    e3cbb08913493e54d74081349972423444cbc0f4853707b84409131d19cad15bphpguard
    e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7sysupdate
    ed1e49cb05c375cc1149c349880ed077b6ee75cb7e5c6cae9cbd4bd086950c93zzh
    By | 2021-02-18T22:37:31+05:30 February 18th, 2021|Ransomware, Targeted Attacks|

    About the Author:

    FirstHackersNews- Identifies Security

    Leave A Comment