WatchBog Botnet Leverages Pastebin for C&C Operations

• The crypto-mining botnet exploits Linux-based systems to mine for the Monero cryptocurrency.
• Cisco Talos security researchers uncovered the botnet’s propagation through Pastebin. WatchBog operators make use of SSH to spread laterally.

The (over)smart buggers: To approach their target, WatchBog botnet operators initially claim to be security service providers who identify serious vulnerabilities in enterprise systems “before any ‘real’ hackers could do so.”

The hosts would then compromise the system to become a part of the crypto-mining botnet, raising serious doubts about the ‘positive’ intentions of this adversary, suggested Talos researchers.

One step at a time: During installation, the malware checks for the presence of other cryptocurrency miners on the system and attempt to kill it, if found. Then it goes on check system architecture to write to various directories, and then makes three attempts to download and install a dropper. Here’s how it does it:

• The installation script retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information, and then downloads the cryptocurrency miner.
• The script also checks if the 'watchbog' process is running and calls the 'testa' or 'download' function if it doesn’t. (Code associated with the function is responsible for writing configuration data used by the mining software.)
• The function declares three variables and also assigns base64-encoded data to each of them. The data is then decoded and written to various files.
• The script downloads encoded Pastebins as a text file, gives it execution permissions and then starts the Watchbog process and deletes the text file.
• The code in the 'download' function performs similar operations. It writes the contents retrieved from various file locations, determines the architecture of the system, installs the appropriate mining client, and executes it.

Pushing the boundaries

Cisco Incident Response (CSIRS) also found the adversary using SSH to spread laterally.

• The ‘Bash script’, responsible for this operation, retrieves the contents of the known_hosts file and attempts to SSH into those systems.
• It also checks for the existence of SSH keys as means of authentication in the known_hosts file.
• Additionally, it also sought to run Python script that scans for open Jenkins and Redis ports on the host's subnet.
• The malware operators depend largely on cron jobs for persistence and try to cover their tracks by erasing or overwriting files and logs, wherever possible.

Recommendations from researchers: Unpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the webserver is deployed.

Here’s what can be done:

• The most effective way to avert such actions would be to ensure that all enterprise web applications are updated.
• Patching may sometimes cause some operational gaps and delays, so it’s also important to have a maintenance window and a test environment to ensure that the new patches don’t open the window for vulnerabilities.
• Identify crypto-mining activity through: a) by following security fundamentals, b) establishing a baseline for internal network traffic, c) identify and investigate the occurrence of any significant deviations