Researchers at Intezer Labs discovered and analysed a new version of a Linux-based cryptocurrency mining malware dubbed WatchBog, which now comes with the scanner designed to look for Windows RDP servers vulnerable to the BlueKeep flaw (SB2019051501 - CVE-2019-0708).

The vulnerability in question is a remote code execution bug in the RDP service. A successful attack would allow the attacker to execute code in the environment of the Remote Desktop Service (aka Terminal services). The flaw affects unpatched Windows versions ranging from Windows 2000 to Windows Server 2008 and Windows 7. According to Microsoft, “vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017”.

Although there is no known public PoC available for achieving RCE using this vulnerability, and no attack has been spotted in the wild yet it seems that cybercriminals are getting ready for future operations.

The scanner module discovered by researchers appears to be a Python port of a proof-of-concept scanner published to GitHub on May 2019. However, the module described in the Intezer Labs’ report doesn’t contain any exploit code and for now is only preparing a list of vulnerable systems.

Once on the system WatchBog will scan a predefined list of IP addresses fetched from a command-and-control (C2) server to identify vulnerable Windows systems and then will send the collected data back to C2. While analyzing the IP lists used for RDP scanning the researchers have found some of the IP addresses that belonged to Vodafone Australia and Tencent Computer Systems infrastructure. As for the reason behind these actions the Intezer believes that Watchbog operators collect information about vulnerable systems for use in further attacks or intend to sale it to third parties.

In previous campaigns the group has been leveraging known vulnerabilities in Linux systems, and has recently expanded its implants list to target more servers. The arsenal now includes recently published exploits, such as Jira’s SB2019072207 (CVE-2019-11581), Exim’s SB2019060505 (CVE-2019-10149), Solr’s SB2019030611 (CVE-2019-0192), Jenkins’ SB2018121801 #4 (CVE-2018-1000861) and Nexus Repository Manager 3’s SB2019032114 (CVE-2019-7238). The WatchBog malware also includes two modules for bruteforcing CouchDB and Redis instances along with code to achieve RCE.

“The incorporation of the BlueKeep scanner by a Linux botnet may indicate WatchBog is beginning to explore financial opportunities on a different platform. Currently, no known public RCE BlueKeep PoCs exist and it will be interesting to monitor this group once a PoC is published,” concluded the researchers.