Severity
Medium
Analysis Summary
WatchBogMiner Trojan launched a vulnerability attack and has controlled mining on tens of thousands of Linux servers. The Trojan uses remote code execution vulnerabilities in server components such as Nexus Repository Manager, Supervisord, ThinkPHP, etc. to attack, installs various types of persistent attack codes on the lost machine, and then implants Monero mining Trojans for mining. Based on the computing resources used by the Trojan, it is speculated that tens of thousands of Linux servers have been controlled by hackers. The Trojan saves malicious code through the third-party website Pastebin to avoid detection, and persists through various methods. It regularly pulls the mining Trojan and loads it into memory for execution. At the same time, it deletes the Trojan file after startup to achieve the purpose of “stealth”. Similar to other mining Trojans, WatchBogMiner will clear other mining Trojans to monopolize the server when mining.
The exploited vulnerabilities include CVE-2019-7238 – Nexus Repository Manager 3 Remote Code Execution Vulnerability, CVE-2017-11610 – Supervisord Remote Command Execution Vulnerability and CVE-2018-20062 – ThinkPHP Remote Code Execution Vulnerability.
Impact
- Unauthorized code execution
- Excessive CPU power consumption
- Possible denial of service
Indicators of Compromise
Domain Name
- sadan666[.]xyz
MD5
- 88b658853b9ececc48f5cac2b7b3f6f6
- ad17226de6cc93977fb7c22c7a27ea8e
Source IP
- 104[.]236[.]66[.]189
URL
- https[:]//pastebin[.]com/raw/UhUmR517
- https[:]//pastebin[.]com/raw/1eDKHr4r
- https[:]//pastebin[.]com/raw/b5x1pRzK
- http[:]//sadan666[.]xyz[:]9080/rr
- https[:]//pastebin[.]com/raw/SjjWevTs
- https[:]//pastebin[.]com/raw/tyjnTQTA
- https[:]//pastebin[.]com/raw/SB0TYBvG
- https[:]//pastebin[.]com/raw/Zkz0d9Jz
- https[:]//pastebin[.]com/raw/mvSEGmR6
Remediation
- Block the threat indicators at respective controls.
- Keep all systems and software updated to latest patched versions against known security vulnerabilities.