WatchBog Crypto-Mining Botnet Relies on Pastebin for C&C

The WatchBog cryptocurrency-mining botnet is heavily reliant on the Pastebin website for command and control (C&C) operations, Cisco Talos’ security researchers reveal.


Active since last year, the botnet is focused on leveraging Linux-based systems to mine for the Monero virtual currency. In July, however, the malware was observed incorporating code to also scan for the BlueKeep Windows vulnerability.


The botnet mainly targets known vulnerabilities, such as Jenkins’ CVE-2018-1000861, Jira’s CVE-2019-11581, Exim’s CVE-2019-10149, and Solr’s CVE-2019-0192.


WatchBog’s operators apparently claimed to be providing a security service to identify vulnerabilities in enterprise systems “before any ‘real’ hackers could do so.” However, identified vulnerable hosts would then become part of the crypto-mining botnet, which “raises serious doubts about the ‘positive’ intentions of this adversary,” Talos notes.


At installation, the threat checks for the presence of other cryptocurrency miners on the system and attempts to terminate them. It then determines whether it can write to various directories, checks the system architecture, and then makes three attempts to download and install a dropper.


Additionally, the installation script retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information, and then downloads the cryptocurrency miner. The script also checks if the 'watchbog' process is running and calls the 'testa' or 'download' function if it doesn’t.


Code associated with the 'testa' function is responsible for writing configuration data used by the mining software. The function declares three variables and also assigns base64-encoded da ..

Support the originator by clicking the read the rest link below.