The WatchDog cybercriminal group operates a new cryptojacking attack equipped with the latest tactics such as worm-like propagation, security system bypass, and intrusion. They also target exposed Redis servers and Docker Engine API endpoints.
The group could also quickly pivot from one infected device to the whole network. Their main objective is to create profit by crypto mining using the computational resources of unsecured servers.
Researchers heavily attribute this campaign to the WatchDog group as the evidence and tactics used for the attacks are similar to the group’s strategies.
WatchDog uses the misconfigured Docker Engine API endpoints to initiate cryptojacking attacks.
Based on reports, the misconfigured Docker Engine API endpoints are used by the WatchDog group to launch its attack and open port 2375. This method allows them to access the daemon in default settings.
Subsequently, the WatchDog can list or alter containers and operate arbitrary shell instructions on the engine. The first shell script the hackers work is cronb[.]sh, which reviews the infection status of the target, retrieves a second-stage payload called ar[.]sh, and lists processes.
The second script utilises ps command hijacking to run a process hiding shell script. In addition, it operates a timestamp manipulation on shell execution logs to divert the analyst’s attention that will attempt to study its operations.
For the payload, the actors chose the one that contained an Alibaba Cloud Agent remover to deactivate the security system on the cloud service. Lastly, an XMRig miner payload is launched on the infected device, and the actors for establishing persistence include a system service.
The stage three payload incorporates masscan, pnscan, and zgrab to scan the network for authentic pivoting points and downloads the last two scripts responsible for propagating c[.]sh and d[.]sh.
These will be kept by the threat actors in a newly developed directory coded as “…” which is easy to omit due to its identical appearance to the parent directory alias. The manual will also be likely to be overlooked by an analyst during an inspection.
