Windows and Linux servers targeted by new WatchDog botnet for almost two years

WatchDog botnet uses exploits to take over servers and mine cryptocurrency.
Written by Catalin Cimpanu, Contributor

Due to the recent rise in cryptocurrency trading prices, most online systems these days are often under the assault of crypto-mining botnets seeking to gain a foothold on unsecured systems and make a profit for their criminal overlords.

The latest of these threats is a botnet named WatchDog. Discovered by Unit 42, a threat intelligence division at Palo Alto Networks, this crypto-mining botnet has been active since January 2019.

Written in the Go programming language, researchers say they've seen WatchDog infect both Windows and Linux systems.

The point of entry for their attacks has been outdated enterprise apps. According to an analysis of the WatchDog botnet operations published on Wednesday, Unit 42 said the botnet operators used 33 different exploits to target 32 vulnerabilities in software such as:

  • Drupal
  • Elasticsearch
  • Apache Hadoop
  • Redis
  • Spring Data Commons
  • SQL Server
  • ThinkPHP
  • Oracle WebLogic
  • CCTV (currently unknown if the target is a CCTV appliance or if there is another moniker "cctv" could stand for).

Based on details the Unit 42 team was able to learn by analyzing the WatchDog malware binaries, researchers estimated the size of the botnet to be around 500 to 1,000 infected systems.

Profits were estimated at 209 Monero coins, currently valued at around $32,000, but the real figure is believed to be much higher since researchers only managed to analyze a few binaries, and the WatchDog gang is thought to have used many more Monero addresses to collect their illegal crypto-mining funds.

No credentials theft observed

The good news for server owners is that WatchDog is not yet on par with recent crypto-mining botnets like TeamTNT and Rocke, which in recent months have added capabilities that allow them to extract credentials for AWS and Docker systems from infected servers.

However, the Unit 42 team warns that such an update is only a few keystrokes away for the WatchDog attackers.

On infected servers, WatchDog usually runs with admin privileges and could perform a credentials scan & dump without any difficulty, if its creators ever wished to.

To protect their systems against this new threat, the advice for network defenders is the same that security experts have been giving out for the past decade — keep systems and their apps up to date to prevent attacks using exploits for old vulnerabilities.

Editorial standards