The cryptojacking operations of WatchDog included steganography

July 25, 2022
Cryptojacking Cyberattack WatchDog Threat Group Steganography XMRig Cryptocurrency Hacking

The WatchDog threat group has been recently observed by researchers hijacking several cryptocurrency wallets, also adding steganography in its attacks.

Based on reports, the malicious threat group’s cryptocurrency hijacking (cryptojacking) operation leverage the unique steganography strategy for malware propagation and other compromises.

Additionally, the researchers noticed that the XMRig miner was spoofed as an image and stored on compromised cloud storage. Analysts later confirmed this storage to be the Alibaba Object Storage Service.

This technique allowed the malicious threat group to maintain its obfuscation and to obtain low detection rates while conducting their cryptojacking operation.


Watchdog’s steganography used a tool to execute its commands.


Some of the samples analysed by the researchers revealed that WatchDog’s steganography downloader utilised a tool called “dd command line utility.” The device allegedly could specify block sizes for input and output. Moreover, the tool allowed the threat actors to design malware with bash code or ELF binaries attached at the end of the image file mentioned earlier.

Subsequently, the attached XMRig payload is coded in different contents, one being in Chinese. The group utilised several scanners like masscan, using Redis SCAN to leverage the Alibaba OSS buckets flaw and propagate the malware.

Furthermore, numerous reports suggest that WatchDog uses several tricks, techniques, and procedures from another malicious group called TeamTNT.

In one of the recently examined cryptojacking campaigns, WatchDog had attacked exposed Docker API endpoints and Redis servers to turn from infected devices to the entire network immediately.

Furthermore, the threat actors utilised timestamping and process hiding procedures to obfuscate abusive tools for scanning poorly configured Redis databases.

Most of the scripts used by the malicious gang in their attacks overlapped with TeamTNT. Researchers quickly identified that the logos and ASCII code for the infrastructure are both present in TeamTNT and WatchDog.

Researchers noted that WatchDog’s usage of steganography strategy and impacted cloud store appears to be more potent in attacking targets. Steganography is a well-known strategy for bypassing detections; however, its combination with compromised cloud storage systems can soon provide its operators with more scalable cryptojacking operations.

About the author

Leave a Reply