Thursday, March 28, 2024

Linux Botnet WatchBog adds BlueKeep Vulnerability Scanner Module to List Vulnerable RDP Systems

The new variant of Linux botnet WatchBog adds BlueKeep Vulnerability Scanner module to prepare a list of vulnerable windows RDP servers. The hackers behind WatchBog is familiar with exploiting know vulnerabilities.

Bluekeep is windows-based vulnerability which allows an attacker to access the vulnerable machine without authentication. The vulnerability can be tracked as CVE-2019-0708, till now no attack has been spotted exploiting this vulnerability.

Intezer observed the new campaign active before June 5, incorporates various recently published exploits and went undetected by security vendors.

New Exploits and BlueKeep Vulnerability Scanner

The new variant includes newly published exploits that include Jira’s, Exim’s, Solr’s and BlueKeep Vulnerability Scanner. The BlueKeep Vulnerability Scanner attached with WatchBog scans the attempts to find out the vulnerable RDP servers.

Once the scanning process completed it returns a list of RC4 encrypted vulnerable IP addresses encoded as a hexadecimal string.

Researchers believe that “the threat actors behind WatchBog may be gathering a list of vulnerable BlueKeep Windows endpoints for future use, or perhaps to sell to a third party to make a profit.”

Scanner Modules

  • Jira module
  • Solr module
  • BlueKeep module

Exploits

Bruteforce Modules

  • CouchDB
  • Redis

All the exploit modules allow an attacker to achieve RCE, WatchBog scans for the vulnerable machine, once vulnerable service is spotted, it invokes the right exploit modules and installs the malicious Monero miner modules from Pastebin.

Scans for RDP Clients

To maintain persistence it utilizes crontab and downloads another spreader module – a cython combined binary(ELF executable), the binary retrieves the C2 servers from Pastebin.

Intezer believes that “around 4,500 endpoints were infected with the use of these specific Pastebin links. As WatchBog is known to have been active before June 5—which is the upload date of these Pastebins—we believe additional machines may have been infected with the use of older Pastebin links.”

Server administrators are recommended to update the software to the latest versions and to verify the open ports exists outside of the trusted network.

Linux users could check for the existence of “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” file, if you suspect that the system is infected.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles