The (over)smart buggers: To approach their target, WatchBog botnet operators initially claim to be security service providers who identify serious vulnerabilities in enterprise systems “before any ‘real’ hackers could do so.”
The hosts would then compromise the system to become a part of the crypto-mining botnet, raising serious doubts about the ‘positive’ intentions of this adversary, suggested Talos researchers.
One step at a time: During installation, the malware checks for the presence of other cryptocurrency miners on the system and attempt to kill it, if found. Then it goes on check system architecture to write to various directories, and then makes three attempts to download and install a dropper. Here’s how it does it:
Pushing the boundaries
Cisco Incident Response (CSIRS) also found the adversary using SSH to spread laterally.
Recommendations from researchers: Unpatched web applications vulnerable to known CVEs are a major target for attackers. Adversaries can leverage the vulnerability to gain a foothold into the web server and network environment in which the webserver is deployed.
Here’s what can be done:
Publisher