Saturday, May 31, 2025
HomeComputer SecurityLinux Botnet WatchBog adds BlueKeep Vulnerability Scanner Module to List Vulnerable RDP...

Linux Botnet WatchBog adds BlueKeep Vulnerability Scanner Module to List Vulnerable RDP Systems

Published on

SIEM as a Service

Follow Us on Google News

The new variant of Linux botnet WatchBog adds BlueKeep Vulnerability Scanner module to prepare a list of vulnerable windows RDP servers. The hackers behind WatchBog is familiar with exploiting know vulnerabilities.

Bluekeep is windows-based vulnerability which allows an attacker to access the vulnerable machine without authentication. The vulnerability can be tracked as CVE-2019-0708, till now no attack has been spotted exploiting this vulnerability.

Intezer observed the new campaign active before June 5, incorporates various recently published exploits and went undetected by security vendors.

- Advertisement - Google News

New Exploits and BlueKeep Vulnerability Scanner

The new variant includes newly published exploits that include Jira’s, Exim’s, Solr’s and BlueKeep Vulnerability Scanner. The BlueKeep Vulnerability Scanner attached with WatchBog scans the attempts to find out the vulnerable RDP servers.

Once the scanning process completed it returns a list of RC4 encrypted vulnerable IP addresses encoded as a hexadecimal string.

Researchers believe that “the threat actors behind WatchBog may be gathering a list of vulnerable BlueKeep Windows endpoints for future use, or perhaps to sell to a third party to make a profit.”

Scanner Modules

  • Jira module
  • Solr module
  • BlueKeep module

Exploits

Bruteforce Modules

  • CouchDB
  • Redis

All the exploit modules allow an attacker to achieve RCE, WatchBog scans for the vulnerable machine, once vulnerable service is spotted, it invokes the right exploit modules and installs the malicious Monero miner modules from Pastebin.

Scans for RDP Clients

To maintain persistence it utilizes crontab and downloads another spreader module – a cython combined binary(ELF executable), the binary retrieves the C2 servers from Pastebin.

Intezer believes that “around 4,500 endpoints were infected with the use of these specific Pastebin links. As WatchBog is known to have been active before June 5—which is the upload date of these Pastebins—we believe additional machines may have been infected with the use of older Pastebin links.”

Server administrators are recommended to update the software to the latest versions and to verify the open ports exists outside of the trusted network.

Linux users could check for the existence of “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” file, if you suspect that the system is infected.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra...

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages...

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated...