Thursday, February 6, 2025
HomeComputer SecurityLinux Botnet WatchBog adds BlueKeep Vulnerability Scanner Module to List Vulnerable RDP...

Linux Botnet WatchBog adds BlueKeep Vulnerability Scanner Module to List Vulnerable RDP Systems

Published on

SIEM as a Service

Follow Us on Google News

The new variant of Linux botnet WatchBog adds BlueKeep Vulnerability Scanner module to prepare a list of vulnerable windows RDP servers. The hackers behind WatchBog is familiar with exploiting know vulnerabilities.

Bluekeep is windows-based vulnerability which allows an attacker to access the vulnerable machine without authentication. The vulnerability can be tracked as CVE-2019-0708, till now no attack has been spotted exploiting this vulnerability.

Intezer observed the new campaign active before June 5, incorporates various recently published exploits and went undetected by security vendors.

New Exploits and BlueKeep Vulnerability Scanner

The new variant includes newly published exploits that include Jira’s, Exim’s, Solr’s and BlueKeep Vulnerability Scanner. The BlueKeep Vulnerability Scanner attached with WatchBog scans the attempts to find out the vulnerable RDP servers.

Once the scanning process completed it returns a list of RC4 encrypted vulnerable IP addresses encoded as a hexadecimal string.

Researchers believe that “the threat actors behind WatchBog may be gathering a list of vulnerable BlueKeep Windows endpoints for future use, or perhaps to sell to a third party to make a profit.”

Scanner Modules

  • Jira module
  • Solr module
  • BlueKeep module

Exploits

Bruteforce Modules

  • CouchDB
  • Redis

All the exploit modules allow an attacker to achieve RCE, WatchBog scans for the vulnerable machine, once vulnerable service is spotted, it invokes the right exploit modules and installs the malicious Monero miner modules from Pastebin.

Scans for RDP Clients

To maintain persistence it utilizes crontab and downloads another spreader module – a cython combined binary(ELF executable), the binary retrieves the C2 servers from Pastebin.

Intezer believes that “around 4,500 endpoints were infected with the use of these specific Pastebin links. As WatchBog is known to have been active before June 5—which is the upload date of these Pastebins—we believe additional machines may have been infected with the use of older Pastebin links.”

Server administrators are recommended to update the software to the latest versions and to verify the open ports exists outside of the trusted network.

Linux users could check for the existence of “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” file, if you suspect that the system is infected.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Paragon Spyware Allegedly Ends Spyware Contract with Italy

Paragon Solutions, an Israeli cybersecurity firm, has reportedly ended its spyware contract with Italy.The...

Authorities Arrested Hacker Who Compromised 40+ Organizations

Spanish authorities have arrested a hacker believed to be responsible for cyberattacks targeting over...

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...

Lumma Stealer Attacking Windows Users In India With Fake Captcha Pages

Cybersecurity experts are raising alarms over a new wave of attacks targeting Windows users...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Paragon Spyware Allegedly Ends Spyware Contract with Italy

Paragon Solutions, an Israeli cybersecurity firm, has reportedly ended its spyware contract with Italy.The...

Authorities Arrested Hacker Who Compromised 40+ Organizations

Spanish authorities have arrested a hacker believed to be responsible for cyberattacks targeting over...

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...