WatchDog Adds Steganography in Cryptojacking Operations

Key findings

• As reported by researchers from Lacework, WatchDog’s cryptojacking campaign leveraged the unique steganography technique for malware propagation and other objectives.
• The XMRig miner was disguised as an image and hosted on compromised cloud storage (Alibaba Object Storage Service).
• This enabled the attackers to maintain low detection rates while carrying out their cryptojacking attacks.

Technical details

• WatchDog’s steganography downloader used the ‘dd command line utility,’ which can specify block sizes for input and output. This enabled the attackers to carve out malware with bash code or ELF binaries that are appended at the end of the image file.
• The embedded XMRig payloads are written in varied content, with one of them being in the Chinese language. 
• Multiple scanners such as Redis SCAN and masscan are used to scan for vulnerable Alibaba OSS buckets and propagate the malware.

WatchDog mimics TeamTNT’s cryptojacking style

• Multiple reports suggest that WatchDog utilizes many TTPs followed by the TeamTNT group. 
• In one of the recently observed cryptojacking attacks, WatchDog had targeted exposed Docker API endpoints and Redis servers to quickly pivot from one compromised machine to the entire network. 
• The attackers used timestamping and process hiding tactics to hide exploit tools used for scanning misconfigured Redis databases.
• Many of the scripts used by WatchDog in the attack overlapped with those used by the TeamTNT, for example, logos, and ASCII code for the infrastructure.

The bottom line