WatchBog Exploits Multiple Vulnerabilities to Mine Monero on Linux

We have said it before, and we will say it again: Unguarded operating systems are the first ones to be corrupted by malware. WatchBog proves that Linux systems are not exempt from this rule, and at least five different vulnerabilities have been exploited by this malware. According to the researchers at Intezer, if this malware slithers in successfully, it can inject a Monero miner. If you do not understand how exploits work or what miners are, we are glad to say that you will find useful information in this report. Of course, we also discuss the removal of the miner, and we provide tips that, hopefully, will help you evade the malicious infection in the future.

WatchBog is a Linux Crypto miner, and to invade Linux operating systems, it relies on known security vulnerabilities. For successful execution, this malware exploits Exim (CVE-2019-10149), Jenkins (CVE-2018-1000861), Jira (CVE-2019-11581), Nexus Repository Manager 3 (CVE-2019-7238), and Solr (CVE-2019-0192). If Linux users update to the latest version of this software, the vulnerabilities are patched, and so the infection cannot exploit any security backdoors. As you can see, the fix is simple, but users often postpone or even ignore updates because they feel that they are inconvenient. Well, a little bit of inconvenience will not hurt you, but malware can, and so we encourage you to stay on top of all security updates to ensure that no backdoors are left open.

It was reported that the first sightings of WatchBog were recorded in late 2018, and so this malware has been around for quite some time now. By the end of the summer, it is believed that 4,500 machines had been compromised, but the number might have increased since then. Unfortunately, it was found that a vulnerability within the Windows operating system could be used to execute WatchBog as well, and so the attackers might be crossing over. It is a kernel vulnerability, and it is incorporated within a BlueKeep scanner (CVE–2019-0708). This vulnerability exists within operating systems that range from Windows 2000 to Windows 7, and so it might exist in hundreds of thousands of operating system across the world. 61% of Windows users run Windows 10, but the older versions are still quite popular. At the time of research, Windows systems were not attacked, but it is possible that the attackers could strike Windows users next.

If WatchBog injects a Monero miner successfully, it will exploit the system’s power to compute complex mathematical problems. This is done to verify cryptocurrency, and, in return, the owner of the miner is awarded some money for the service. Cryptocurrency mining can be done legally, but if one wants to make a significant profit, they need multiple machines, and the electricity bills for the used energy can be extremely big. This is why cybercriminals create malware that injects miners onto the vulnerable computers of unsuspecting victims. Such miners act like leeches. Even though they do not affect the victims’ privacy, malware, in general, is unpredictable, and if a miner was injected, any other kind of malware module could be injected too, and this module could be much more dangerous. Therefore, it is crucial to perform thorough removal once WatchBog is detected.

If you use Exim, Jenkins, Jira, Nexus Repository Manager 3, and Solr on Linux, you need to update the software immediately. Windows users need to remove vulnerabilities within BlueKeep. If this is taken care of, the dangerous WatchBog should not stand a chance of slithering in. Linux users should also check the /tmp/ directory for any suspicious files. If you can identify malicious files, delete them immediately. Of course, you need to consider strengthening the overall security of your operating system, and we recommend implementing reliable anti-malware software for that. If you choose to install it now, it will automatically delete WatchBog and any malicious modules that could have been injected by it.

References

Kaizer, G. October 2, 2019. Windows by the numbers: Windows 10 continues to cannibalize Windows 7. ComputerWorld.
Litvak, P. and Sanmillan, I. July 24, 2019. Watching the WatchBog: New BlueKeep Scanner and Linux Exploits. Intezer Blog.