Monday, May 12, 2025
HomeComputer SecurityLinux Botnet WatchBog adds BlueKeep Vulnerability Scanner Module to List Vulnerable RDP...

Linux Botnet WatchBog adds BlueKeep Vulnerability Scanner Module to List Vulnerable RDP Systems

Published on

SIEM as a Service

Follow Us on Google News

The new variant of Linux botnet WatchBog adds BlueKeep Vulnerability Scanner module to prepare a list of vulnerable windows RDP servers. The hackers behind WatchBog is familiar with exploiting know vulnerabilities.

Bluekeep is windows-based vulnerability which allows an attacker to access the vulnerable machine without authentication. The vulnerability can be tracked as CVE-2019-0708, till now no attack has been spotted exploiting this vulnerability.

Intezer observed the new campaign active before June 5, incorporates various recently published exploits and went undetected by security vendors.

- Advertisement - Google News

New Exploits and BlueKeep Vulnerability Scanner

The new variant includes newly published exploits that include Jira’s, Exim’s, Solr’s and BlueKeep Vulnerability Scanner. The BlueKeep Vulnerability Scanner attached with WatchBog scans the attempts to find out the vulnerable RDP servers.

Once the scanning process completed it returns a list of RC4 encrypted vulnerable IP addresses encoded as a hexadecimal string.

Researchers believe that “the threat actors behind WatchBog may be gathering a list of vulnerable BlueKeep Windows endpoints for future use, or perhaps to sell to a third party to make a profit.”

Scanner Modules

  • Jira module
  • Solr module
  • BlueKeep module

Exploits

Bruteforce Modules

  • CouchDB
  • Redis

All the exploit modules allow an attacker to achieve RCE, WatchBog scans for the vulnerable machine, once vulnerable service is spotted, it invokes the right exploit modules and installs the malicious Monero miner modules from Pastebin.

Scans for RDP Clients

To maintain persistence it utilizes crontab and downloads another spreader module – a cython combined binary(ELF executable), the binary retrieves the C2 servers from Pastebin.

Intezer believes that “around 4,500 endpoints were infected with the use of these specific Pastebin links. As WatchBog is known to have been active before June 5—which is the upload date of these Pastebins—we believe additional machines may have been infected with the use of older Pastebin links.”

Server administrators are recommended to update the software to the latest versions and to verify the open ports exists outside of the trusted network.

Linux users could check for the existence of “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” file, if you suspect that the system is infected.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...