Summary
Watchbog is a crytomining malware which uses Bluekeep vulnerability to infect Linux machines.
Capabilities
- Exploit
- Information Theft
- Persistence
Symptoms
- High CPU Usage
- Continuous Detection of PUA.Linux.ZYX.USELVES19
Analysis
Based on research, main malware is (26ebeac4492616baf977903bb8deb7803bd5a22d8a005f02398c188b0375dfa4)
After running crontab -l, suspicious entries were found
Here are the full details of the location.
/var/spool/cron/root
/var/spool/cron/crontabs/root
/etc/cron.d/apache
/etc/cron.d/system
/etc/cron.d/root
Full code from "LaunchString" shows the following:
Indicators of Compromise
| Detections | IOC |
|---|---|
| TROJ_FRS.VSNTGQ19 | 1db603370e30234ca2cbd5cd84f5683f76f21513 |
| Coinminer.Linux.MALXMR.UWEKF | 9e6634a0990b85bce93662a044aff6660cb46ac6 |
| Trojan.Linux.GAFGYT.USELVEI19 | /tmp/.tmpdropoff/rig.tar.xz(rig.tar(xmr-stak-linux-2.10.3-cpu/xmr-stak)) |
| PUA.Linux.ZYX.USELVES19 | /tmp/.tmpdropoff/rig.tar.gz(NONAMEFL(xmrig-2.14.1/xmrig)) |
Details
Solutions Available
| TM Detection | OPR |
|---|---|
| TROJ_FRS.VSNTGQ19 | 15.617.00 |
| Coinminer.Linux.MALXMR.UWEKF | 15.606.04 |
| Trojan.Linux.GAFGYT.USELVEI19 | 15.119.00 |
| PUA.Linux.ZYX.USELVES19 | 15.139.00 |
Manual clean-up process:
- Delete the running process. You can use the command "ps aux" and look for the entry like below:
then kill it using process ID:
kill -9 <Process ID>
Note that if watchbog is still running, delete the process as well.
- Overwrite/clean the cron tabs. Use any of the following:
- crontab -e
- echo " " > <crontab location> (Note that this will overwrite.)
- vi <crontab location>
Make sure to delete only the malware crontab. Sometimes, users have crontabs for their application and deleting/overwriting it without permission may cause app instability.
Recommendations
- Blocking of Pastebin if it is not used
- Deep Discovery Inspector: Rule 2899: CVE-2018-1000861 - JENKINS - HTTP (Request)
- Watchbog Patching: Jenkins Security Advisory 2018-12-05
