WatchDog botnet performs cryptojacking for almost 2 years to take over windows and linux servers.
Daemon — WatchDog:
A botnet is a number of Internet-connected devices, each of which is running one or more bots.
In addition, botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection.
Now, recently due to increase in cryptocurrency trading Unit42 discovered botnet operation named WatchDog.
Unfortunately, researchers also found that the operation has been active since January 2019.
WatchDog Functionality
The operation written in of a three-part Go Language binary set and a bash or PowerShell script file.
Firstly, The binaries perform specific functionality, one of which emulates the Linux watchdog daemon functionality by ensuring that the mining process does not hang, overload or terminate unexpectedly.
Secondly, Go binary downloads a configurable list of IP addresses net ranges before providing the functionality of targeted exploitation operations of identified NIX or Windows systems discovered during the scanning operation.
Finally, the third Go binary script will initiate a mining operation on either Windows or NIX operating systems (OS) using custom configurations from the initiated bash or PowerShell script.
In short, researchers say “they’ve seen WatchDog infect both Windows and Linux systems.”
Affected Products:
According to an analysis of the WatchDog botnet operations published on Wednesday, Unit 42 estimated the size of the botnet to be around 500 to 1,000 infected systems.
Also, researchers said the botnet operators used 33 different exploits to target 32 vulnerabilities in software such as:
- Drupal
- Elasticsearch
- Apache Hadoop
- Redis
- Spring Data Commons
- SQL Server
- ThinkPHP
- Oracle WebLogic
- CCTV (currently unknown if the target is a CCTV appliance or if there is another moniker “cctv” could stand for).
In addition, WatchDog usually runs with admin privileges and could perform a credentials scan & dump without any difficulty, if its creators ever wished to.
No Data Loss
Importantly, researchers highlighted that WatchDog is not yet on par with recent crypto-mining botnets like TeamTNT and Rocke.
Which in recent months have added capabilities that allow them to extract credentials for AWS and Docker systems from infected servers, according to ZDNet article.
However, to protect systems against this new threat Unit42 team warns to update old vulnerabilities which is only a few keystrokes away for the WatchDog attackers.
Indicators of Compromise
IP Addresses
| 39.100.33[.]209 |
| 45.153.240[.]58 |
| 45.9.148[.]37 |
| 93.115.23[.]117 |
| 95.182.122[.]199 |
| 106.15.74[.]113 |
| 107.173.159[.]206 |
| 146.71.79[.]230 |
| 185.181.10[.]234 |
| 185.232.65[.]124 |
| 185.232.65[.]191 |
| 185.232.65[.]192 |
| 185.247.117[.]64 |
| 198.98.57[.]187 |
| 199.19.226[.]117 |
| 204.44.105[.]168 |
| 205.209.152[.]78 |
| 208.109.11[.]21 |
Domains
| de.gengine[.]com.de |
| de.gsearch[.]com.de |
| global.bitmex[.]com.de |
| ipzse[.]com |
| py2web[.]store |
| sjjjv[.]xyz |
| us.gsearch[.]com.de |
URL Addresses
| hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/bsh.sh |
| hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/config.json |
| hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/sysupdate |
| hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/update.sh |
| hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/config.json |
| hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/networkservice |
| hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/sysguard |
| hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/sysupdate |
| hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/update.sh |
| hxxp://176.123.10[.]57/cf67356/config.json |
| hxxp://176.123.10[.]57/cf67356/networkmanager |
| hxxp://176.123.10[.]57/cf67356/newinit.sh |
| hxxp://176.123.10[.]57/cf67356/phpguard |
| hxxp://176.123.10[.]57/cf67356/zzh |
| hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/config.json |
| hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/networkservice |
| hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/sysguard |
| hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/sysupdate |
| hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/update.sh |
| hxxp://185.232.65[.]124/update.sh |
| hxxp://185.232.65[.]191/cf67356/config.json |
| hxxp://185.232.65[.]191/cf67356/newinit.sh |
| hxxp://185.232.65[.]191/cf67356/zzh |
| hxxp://185.232.65[.]191/config.json |
| hxxp://185.232.65[.]191/trace |
| hxxp://185.232.65[.]191/update.sh |
| hxxp://185.232.65[.]192/cf67356/networkmanager |
| hxxp://185.232.65[.]192/cf67356/phpguard |
| hxxp://185.232.65[.]192/config.json |
| hxxp://185.232.65[.]192/trace |
| hxxp://185.247.117[.]64/cf67356/config.json |
| hxxp://185.247.117[.]64/cf67356/networkmanager |
| hxxp://185.247.117[.]64/cf67356/newdat.sh |
| hxxp://185.247.117[.]64/cf67356/phpguard |
| hxxp://185.247.117[.]64/cf67356/phpupdate |
| hxxp://198.98.57[.]187/config.json |
| hxxp://198.98.57[.]187/trace |
| hxxp://198.98.57[.]187/update.sh |
| hxxp://204.44.105[.]168:66/config.json |
| hxxp://204.44.105[.]168:66/networkmanager |
| hxxp://204.44.105[.]168:66/newdat.sh |
| hxxp://204.44.105[.]168:66/phpguard |
| hxxp://204.44.105[.]168:66/phpupdate |
| hxxp://205.209.152[.]78:8000/sysupdate |
| hxxp://205.209.152[.]78:8000/update.sh |
| hxxp://209.182.218[.]161:80/363A3EDC10A2930D/config.json |
| hxxp://209.182.218[.]161:80/363A3EDC10A2930D/networkservice |
| hxxp://209.182.218[.]161:80/363A3EDC10A2930D/sysguard |
| hxxp://209.182.218[.]161:80/363A3EDC10A2930D/sysupdate |
| hxxp://209.182.218[.]161:80/363A3EDC10A2930D/update.sh |
| hxxp://39.100.33[.]209/b2f628/config.json |
| hxxp://39.100.33[.]209/b2f628/newinit.sh |
| hxxp://39.100.33[.]209/b2f628/zzh |
| hxxp://39.100.33[.]209/b2f628fff19fda999999999/is.sh |
| hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/config.json |
| hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/networkservice |
| hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/sysguard |
| hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/sysupdate |
| hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/update.sh |
| hxxp://45.9.148[.]37/cf67356a3333e6999999999/1.0.4.tar.gz |
| hxxp://45.9.148[.]37/cf67356a3333e6999999999/config.json |
| hxxp://45.9.148[.]37/cf67356a3333e6999999999/is.sh |
| hxxp://45.9.148[.]37/cf67356a3333e6999999999/networkmanager |
| hxxp://45.9.148[.]37/cf67356a3333e6999999999/newdat.sh |
| hxxp://45.9.148[.]37/cf67356a3333e6999999999/phpguard |
| hxxp://45.9.148[.]37/cf67356a3333e6999999999/phpupdate |
| hxxp://47.253.42[.]213/b2f628/config.json |
| hxxp://47.253.42[.]213/b2f628/newinit.sh |
| hxxp://47.253.42[.]213/b2f628/zzh |
| hxxp://82.202.66[.]50/cf67356/config.json |
| hxxp://82.202.66[.]50/cf67356/networkmanager |
| hxxp://82.202.66[.]50/cf67356/newinit.sh |
| hxxp://82.202.66[.]50/cf67356/phpguard |
| hxxp://82.202.66[.]50/cf67356/zzh |
| hxxp://83.97.20[.]90/cf67356/config.json |
| hxxp://83.97.20[.]90/cf67356/networkmanager |
| hxxp://83.97.20[.]90/cf67356/newinit.sh |
| hxxp://83.97.20[.]90/cf67356/phpguard |
| hxxp://83.97.20[.]90/cf67356/zzh |
| hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/config.json |
| hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/networkservice |
| hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/sysguard |
| hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/sysupdate |
| hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/update.sh |
| hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/config.json |
| hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/networkservice |
| hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/Saltmin.sh |
| hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/sysupdate |
| hxxp://95.182.122[.]199/init.sh |
| hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/config.json |
| hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/is.sh |
| hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/networkmanager |
| hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/newdat.sh |
| hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/phpguard |
| hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/phpupdate |
| hxxp://py2web[.]store/7356a3333e6999999999/networkmanager |
| hxxp://py2web[.]store/7356a3333e6999999999/phpguard |
| hxxp://py2web[.]store/cf67356/config.json |
| hxxp://py2web[.]store/cf67356/newinit.sh |
| hxxp://py2web[.]store/cf67356/zzh |
| hxxp://xmr.ipzse[.]com:66/bd.sh |
| hxxp://xmr.ipzse[.]com:66/config.json |
| hxxp://xmr.ipzse[.]com:66/is.sh |
| hxxp://xmr.ipzse[.]com:66/networkmanager |
| hxxp://xmr.ipzse[.]com:66/newdat.sh |
| hxxp://xmr.ipzse[.]com:66/phpguard |
| hxxp://xmr.ipzse[.]com:66/phpupdate |
| hxxp://xmr.ipzse[.]com:66/rs.sh |
| hxxps://de.gengine[.]com[.]de/api/config.json |
| hxxps://de.gengine[.]com[.]de/api/networkservice |
| hxxps://de.gengine[.]com[.]de/api/sysguard |
| hxxps://de.gengine[.]com[.]de/api/sysupdate |
| hxxps://de.gengine[.]com[.]de/api/update.sh |
| hxxps://de.gsearch[.]com[.]de/api/config.json |
| hxxps://de.gsearch[.]com[.]de/api/networkservice |
| hxxps://de.gsearch[.]com[.]de/api/sysguard |
| hxxps://de.gsearch[.]com[.]de/api/sysupdate |
| hxxps://de.gsearch[.]com[.]de/api/update.sh |
| hxxps://sjjjv[.]xyz/sysupdate |
| hxxps://sjjjv[.]xyz/update.sh |
| hxxps://us.gsearch[.]com[.]de/api/config.json |
| hxxps://us.gsearch[.]com[.]de/api/networkservice |
| hxxps://us.gsearch[.]com[.]de/api/sysguard |
| hxxps://us.gsearch[.]com[.]de/api/sysupdate |
| hxxps://us.gsearch[.]com[.]de/api/update.sh |
Files
| SHA-256 | Filename |
| 0a48bd0d41052c1e3138d558fc06ebde8d6f15b8d866200b8f00b214a73eb5b9 | config.json |
| 0c4aa6afd2a81fd15f3bd65adcbd4f649fbc58ef12dd2d528125435169555901 | update.sh |
| 1f65569b77f21f47256db339700b4ff33b7570e44e1981b5c213b7b2e65b0f6c | networkmanager |
| 2b52288383588f65803a5dc9583171103be79f0b196d01241b5cd3a8cf69b190 | networkservice |
| 2eeac2b9577047a9eef2d164c13ace5e826ac85990a3a915871d6b0c2fc8fe67 | update.sh |
| 2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed | update.sh |
| 37492d1897f77371f2eb431b9be7c861b81e97f04a091d8c6d63719171eda2ac | rs.sh |
| 3ab7cf786eeb23ebd11e86e0fc48b0a9b37a427d5d730d774c9ed8d98a925c6f | sysupdate |
| 43d7b29668786731f1bbbb3ae860487e84604195b186c1b7b253f99156d7f57a | sysguard |
| 49366ae4766492d94136ca1f715a37554aa6243686c66bf3c6fbb9da9cb2793d | newinit.sh |
| 51de345f677f46595fc3bd747bfb61bc9ff130adcbec48f3401f8057c8702af9 | tar.gz |
| 55c92d64ffa9d170e340e0528dc8ea1fa9be98f91db891869947c5b168a728c8 | networkmanager |
| 55dd539d8fe94648294e91df89b005f1dba330b432ceda25775963485bae7def | config.json |
| 67d0f77adf98ac34a6db78110c78652a9b7f63e22ae5ab7df4f57d3413e48822 | phpguard |
| 68cedf2a018c0830655dc9bb94aadf6492ab31196cbc83ceb44defae0a02d3dc | config.json |
| 6a7109481e113fd92ff98534e780f47a32b64bfa5692f7bd7da33c84033a9028 | sysguard |
| 758dbfda2b7d2e97caba294089c4c836ab447d7c9ceef510c667526fd873e161 | phpguard |
| 80b1a70d7ec5d1944787afff3c2feac3aa40ec8c64177886481d96623bc786bf | config.json |
| 818c16d1921572ffee6853c16c5c9158d2f217b6adbb5154cbb7daf945db493c | update.sh |
| 82815c61402cfc0edd6ce3be37848259711ef07e3391e74c85fbdaa676d95c0c | is.sh |
| 849f86a8fd06057eeb1ae388789881516239282dd4cb079b8281f995035874e1 | newinit.sh |
| 895e994dafaa00009a46f3b56ca0d563e066a14e77f5030b1331fc9b3f9f6478 | networkservice |
| 96fe63c25e7551a90051431aeddb962f05d82b7dd2940c0e8e1282273ba81e22 | newinit.sh |
| a322dc6af6fed1326b04ec966e66b68dd8ef22374edd286569710afc65ccc741 | newinit.sh |
| ac719447894b2f5029f493c7395d128f710a3ba7b31c199558f3ee00fb90ea12 | networkmanager |
| ad05d09e6ed4bd09fe1469e49885c5169458635a1a33f2579cb7caa221b43fce | newdat.sh |
| b6a5790a9bfaf159af68c4dbb09de9c2c0c2371c886fdb28223d40e6984b1dd7 | config.json |
| bd3506b86452d46d395b38aa807805097da1291c706318b5fe970fe4b20f5406 | config.json |
| c67881c1f05477939b8964ad26f1a467762a19c2c7d1a1656b338d8113ca1ac1 | phpguard |
| c8ca3ab0ae00a1bf197086370ab5994264ac5bc1fcf52b2ddf8c9fcacc4402ff | 1.0.4.tar |
| d54157bb703b360bb911363d9bb483a2ee00ee619d566d033a8c316f06cf26cc | zzh |
| d6cf2d54e3bb564cb15638b58d2dd124ae7acd40e05af42d1bdc0588a8d5211d | networkmanager |
| e3cbb08913493e54d74081349972423444cbc0f4853707b84409131d19cad15b | phpguard |
| e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7 | sysupdate |
| ed1e49cb05c375cc1149c349880ed077b6ee75cb7e5c6cae9cbd4bd086950c93 | zzh |
Leave A Comment