26 July 2019

New version of WatchBog criptominer adds BlueKeep scanner

New version of WatchBog criptominer adds BlueKeep scanner

Researchers at Intezer Labs discovered and analysed a new version of a Linux-based cryptocurrency mining malware dubbed WatchBog, which now comes with the scanner designed to look for Windows RDP servers vulnerable to the BlueKeep flaw (SB2019051501 - CVE-2019-0708).

The vulnerability in question is a remote code execution bug in the RDP service. A successful attack would allow the attacker to execute code in the environment of the Remote Desktop Service (aka Terminal services). The flaw affects unpatched Windows versions ranging from Windows 2000 to Windows Server 2008 and Windows 7. According to Microsoft, “vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017”.

Although there is no known public PoC available for achieving RCE using this vulnerability, and no attack has been spotted in the wild yet it seems that cybercriminals are getting ready for future operations.

The scanner module discovered by researchers appears to be a Python port of a proof-of-concept scanner published to GitHub on May 2019. However, the module described in the Intezer Labs’ report doesn’t contain any exploit code and for now is only preparing a list of vulnerable systems.

Once on the system WatchBog will scan a predefined list of IP addresses fetched from a command-and-control (C2) server to identify vulnerable Windows systems and then will send the collected data back to C2. While analyzing the IP lists used for RDP scanning the researchers have found some of the IP addresses that belonged to Vodafone Australia and Tencent Computer Systems infrastructure. As for the reason behind these actions the Intezer believes that Watchbog operators collect information about vulnerable systems for use in further attacks or intend to sale it to third parties.

In previous campaigns the group has been leveraging known vulnerabilities in Linux systems, and has recently expanded its implants list to target more servers. The arsenal now includes recently published exploits, such as Jira’s SB2019072207 (CVE-2019-11581), Exim’s SB2019060505 (CVE-2019-10149), Solr’s SB2019030611 (CVE-2019-0192), Jenkins’ SB2018121801 #4 (CVE-2018-1000861) and Nexus Repository Manager 3’s SB2019032114 (CVE-2019-7238). The WatchBog malware also includes two modules for bruteforcing CouchDB and Redis instances along with code to achieve RCE.

“The incorporation of the BlueKeep scanner by a Linux botnet may indicate WatchBog is beginning to explore financial opportunities on a different platform. Currently, no known public RCE BlueKeep PoCs exist and it will be interesting to monitor this group once a PoC is published,” concluded the researchers.

Back to the list

Latest Posts

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

The Iranian state-sponsored hackers Charming Kitten employed new spear-phishing methods in a campaign observed in August and September.
10 October 2019
Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

It is estimated that more than 6,500 sites are affected, that number could be even higher.
10 October 2019
Featured vulnerabilities
Remote code execution in Bento4 media player
High Not Patched | 13 Oct, 2019
Use-after-free in libvips library
Medium Patched | 13 Oct, 2019
Denial of service in MATIO
Low Not Patched | 13 Oct, 2019
Cross-site scripting in Openfire
Low Patched | 12 Oct, 2019