Windows, Linux Devices Hijacked In Two-Year Cryptojacking Campaign

WatchDog Cryptojacking malware campaign

The WatchDog malware has flown under the radar for two years in what researchers call one of the ‘largest’ Monero cryptojacking attacks ever.

Cryptocurrency-mining malware, called WatchDog, has been running under the radar for more than two years – in what researchers call one of the largest and longest-lasting Monero cryptojacking attacks to date.

Threatpost Webinar February Promo

Click to Register

The attack is still in operation as of this writing – and due to the size and scope of the infrastructure, it will be difficult to fully contain, researchers told Threatpost. Thus far, attackers have hijacked at least 476 Windows and Linux devices, in order to abuse their system resources for mining Monero cryptocurrency.

Right now, the attackers behind this campaign are sticking to cryptojacking – but researchers warn that it is “highly likely” they could find identity and access management (IAM) data on previously-compromised cloud systems, due to the root and administrative access that’s acquired during the malware implantation. This could open the door for future – and more dangerous – attacks.

“It is clear that the WatchDog operators are skilled coders and have enjoyed a relative lack of attention regarding their mining operations,” said researchers with Palo Alto Networks on Wednesday. “While there is currently no indication of additional cloud compromising activity at present (i.e. the capturing of cloud platform identity and access management credentials, access ID or keys), there could be potential for further cloud account compromise.”

How Much Money Does Cryptomining Malware Make? 

The attack is a prime example of cryptojacking, which is when attackers leverage malicious cryptomining for financial profit. They do so by hacking into devices to install software, which then uses the devices’ power and resources to mine for cryptocurrencies or to steal cryptocurrency wallets owned by the victims.

Since it launched on Jan. 27, 2019, the WatchDog mining operation has collected at least 209 Monero cryptocurrency coins (XMR) – which is currently valued at $32,056. While this figure appears to be relatively low, the important piece of cryptojacking operations is not the immediate market price, but the total XMR mined, Nathaniel Quist, senior cloud threat researcher for Unit 42 at Palo Alto Networks, told Threatpost.

At the time of writing the research, the market price for Monero was $153. But, just within the last 24 hours, the market price of XMR has soared to $254, Quist explained – so as of Wednesday, WatchDog has actually collected $53,086.

“In the past, we have seen dramatic swings in cryptocurrency valuations,” Quist told Threatpost. “Depending upon the market price over the next months, we could see cryptocurrency market prices touch the record highs that were seen back in early 2018, where Monero was valued at $469. If that were the case, WatchDog could increase its value total to $98,021 without mining another coin, making it a very profitable mining operation.”

WatchDog Malware: Go Binaries Drive Functionality

Researchers said, the WatchDog mining malware is composed of a three-part Go Language binary set and a bash or PowerShell script file. Go, an open-source programming language, has previously been utilized by various cybercriminals for various cryptojacking attacks, including TeamTNT and the developers of ElectroRAT.

WatchDog’s Go binaries each perform a specific functionality – including one that emulates the Linux watchdog daemon functionality (hence the name of the malware, WatchDog) by ensuring that the mining process does not overload or stop unexpectedly. The watchdog daemon’s functionality is to open the device and provide a necessary refresh to keep the system from resetting. For example, it can test process table space, memory usage and running processes.

“WatchDog’s usage of Go binaries allows it to perform the stated operations across different operating systems using the same binaries… as long as the Go Language platform is installed on the target system,” said researchers.

The Go binaries include a network scanner and exploitation binary (networkmanager), a process monitoring binary (phpguard), and a version of the malicious XMRig cryptomining software (phpupdate).

The WatchDog Cryptojacking Campaign: Windows and Linux OS Under Attack

The initial attack vector stems from the networkmanager binary. When the binary identifies a vulnerable target, it attempts to compromise that identified system using a robust set of built-in application exploits.

Specifically, networkmanager comes loaded with 33 exploits, 32 individual remote code execution (RCE) functions and several shell grab functions. For instance, it scans for applications such as Elasticsearch servers that are vulnerable to CVE-2015-1427 and CVE-2014-3120 and Oracle WebLogic Servers vulnerable to CVE-2017-10271.

For context, this is a significant amount of exploits when compared to other miners – such as the Smominru cryptocurrency miner, which operated from 2017 to 2018 and collected nearly 9,000 XMR, said Quist. Unlike Smominru’s two exploits, WatchDog’s numerous exploits and RCE functions “make it better at compromising exposed systems,” he told Threatpost.

WatchDog Compared to Graboid Cryptomining Malware

Of note, WatchDog is stealthier than other cryptomining malware, such as the wormable Monero mining malware Graboid. Discovered last year, Graboid was the largest known mining operation to date in terms of the total number of active systems.

During the time of its operation, Graboid consisted of at least 2,000 exposed and compromised Docker Daemon APIs systems, and researchers said the malware could have also achieved “higher processing speeds” due to the configuration script utilizing all available container central processing units (CPUs).

However, Graboid was only known to operate for up to three months before its Docker Hub images were removed. That’s because the malware relied on a third-party (Docker Hub) to host its malicious payload – whereas WatchDog does not, allowing it to have remained active for more than two years, said researchers.

In fact, WatchDog has a fairly extensive infrastructure behind its mining operations, with researchers mapping out 18 root IP endpoints and seven malicious domains, which serve at least 125 malicious URL addresses used to download its toolset.

Cryptojacking: A Cyberattack on the Rise

WatchDog comes as the value of cryptocurrency has exploded, making cryptojacking a lucrative type of financial attack for cybercriminals. The XMR market value follows the cryptocurrency prices of Bitcoin – which as of Wednesday set a record-high topping $51,000.

XMR has subsequently increased in value from $153 on February 9 to $254 on Wednesday – approaching its highest-recorded value of $469.79 (set in January 2018), Quist told Threatpost.

“Cybercriminals are watching the market value of XMR,” Quist told Threatpost. “Over the last six months, Unit 42 researchers have seen a 40 percent increase in network traffic to public mining pools, which indicates that more mining operations are taking place. The trend of more XMR mining operations appears to be following the increasing market value price of XMR.”

This week, researchers with Kaspersky also found that distributed denial-of-service (DDoS) attacks dropped significantly at the end of 2020, down 31 percent in the fourth quarter, as cybercriminals switch their efforts to cryptomining. According to the analysis this week, cybercriminals began repurposing infected devices for cryptomining in response to rising cryptocurrency values.

One such recently discovered malware, dubbed Hildegard, was found being leveraged by the TeamTNT threat group to target Kubernetes clusters with cryptojacking attacks. In January, researchers also identified an updated malware variant used by the cybercrime gang Rocke Group that targets cloud infrastructures with crypto-jacking attacks. And, in January, researchers dug up new discoveries surrounding a cryptomining operation, called MrbMiner, which was downloading a cryptominer on thousands of internet-facing SQL servers.

Is your small- to medium-sized business an easy mark for attackers?

Threatpost WEBINAR:  Save your spot for 15 Cybersecurity Pitfalls and Fixes for SMBs,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.