BlueKeep Flawed Windows RDP Servers Gets Added to Its Target List by Linux Botnet

The Cyber security researchers have discovered a new variant of the WatchBog, which is a Linux-based Cryptocurrency mining malware botnet that now as well includes a module to scan the Internet for Windows RDP servers vulnerable to the BlueKeep flaw. BlueKeep is immensely-critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Services that could permit an unauthenticated remote attacker to take full control over the vulnerable systems just by sending specially crafted requests over the RDP protocol.

Image Source:

Although the patches for the BlueKeep vulnerability (CVE–2019-0708) was already released by Microsoft back in May this year, more than 800,000 Windows machines accessible over the internet are still vulnerable to the critical flaw that has been lately discovered. Fortunately, even after so many individuals in the security community who have developed working remote code exploits for BlueKeep, there is no public proof-of-concept (PoC) exploit available till the date, potentially preventing the opportunistic hackers from wreaking havoc. Nevertheless, the cyber security firm immunity has just yesterday released an updated version of its commercial automated vulnerability assessment and penetration testing (VAPT) tool that goes by the name, CANVAS 7.23 that includes a new module for the BlueKeep RDP exploit. It appears that the attackers behind the WatchBog are using their botnet network to prepare a list of vulnerable systems to target in the future or to sell to third party vendors for profit, as warned the researchers from Intezer Lab, who discovered the new WatchBog variant. The BlueKeep scanner that is included in WatchBog scans the Internet and then submits the list of newly discovered RDP hosts, as a hexadecimal data string that has been encrypted using RC4, to the attacker-controlled servers. As per the researcher, the new WatchBog variant has already compromised over 4,500 Linux machines in the past two months. Although the WatchBog is operating since late last year, the attackers are distributing its new variant in an ongoing campaign active since early June this year. The newly-discovered WatchBog variant includes a new spreading module along with exploits for some recently patched vulnerability in the Linux applications, permitting the attackers to find and compromise more Linux systems rapidly.

The WatchBog Linux botnet malware contains several modules, as structurally stated below, which leverages recently patched vulnerabilities in Exim, Jira, Solr, Jenkins, ThinkPHP and Nexus applications to compromise the Linux machines.

Pwn Module

  • CVE-2019-11581 (Jira)
  • CVE-2019-10149 (Exim)
  • CVE-2019-0192 (Solr)
  • CVE-2018-1000861 (Jenkins)
  • CVE-2019-7238 (Nexus Repository Manager 3)

Scanning Module

  • BlueKeep Scanner
  • Jira Scanner
  • Solr Scanner
  • Brute-forcing Module
  • CouchDB instances
  • Redis instances

Spreading Module

  • Apache ActiveMQ (CVE-2016-3088)
  • Solr (CVE-2019-0192)
  • Code Execution over Redis

Soon after scanning and brute-forcing modules and discover a Linux machine running the vulnerable application, the WatchBog deploys a script on the targeted machine in order to download Monero Cryptocurrency miner modules from the Pastebin website. The malicious script then also achieves persistence on the infected system via the crontab and further downloads a new spreader module, which comes in the form of a dynamically linked Cython-compiled ELF executable. Researchers have as well recommended the Linux and the Windows administrators to keep their software and operating systems updated against the known vulnerabilities in the bid to prevent themselves from being a victim of such attack campaigns. Just for the information, you will be able to find if WatchBog has infected your Linux machine by checking the existence of the “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” files on your system.

Leave a Reply

Open chat