Vulnerable Jira and Exim Servers Abused to Spread New Watchbog Trojan Variant
- Watchbog is a trojan that affects Linux machines and servers through vulnerable applications.
- Botnets from these infected servers were used for a Monero cryptomining operation.
Security researchers have uncovered a new Watchbog malware variant affecting Jira and Exim servers. It was found that the malware was exploiting recent vulnerabilities in these servers. The vulnerabilities were code execution flaws in both Jira and Exim servers.
It is speculated that over 1.6 million unpatched Exim servers are vulnerable to the new Watchbog variant. Likewise, more than 54,000 unpatched Jira servers are also defenseless against the trojan.
The big picture
- The new variant was discovered by security researcher ‘polarply’ of Intezer Labs.
- In a tweet, the researcher described that the variant was exploiting a 12-day old vulnerability (CVE-2019-11581) in Jira and another recent flaw (CVE-2019-10149) in Exim. Both are remote code execution flaws.
- This variant was not detected by any antivirus engine on VirusTotal. It had a detection ratio of 0/54 as reported by Intezer.
- Once infecting the servers, the resulting botnets are used to mine Monero cryptocurrency.
- In order to do this, Watchbog executes malicious commands, retrieved from Pastebin, on compromised Linux servers.
A malicious script associated with the new Watchbog also had a contact note, on top of delivering a Monero miner. According to BleepingComputer which covered this new development of Watchbog, the creators behind this malware wanted to ‘keep the internet safe’ in the malware campaign.
“They also say that the malware will only mine for cryptocurrency on compromised servers, with no intention of tampering with the stored data in any way or asking for a ransom,” BleepingComputer reported.