The hacking group that goes by the name WatchDog is now conducting a brand new cryptojacking campaign, featuring advanced techniques in worm-like propagation, intrusion, and evasive manoeuvres to avoid alerting cybersecurity software.
The group is known for targeting compromised Redis servers and Docker Engine application programming interface (API) endpoints, and has the capacity to swiftly pivot from a single exposed machine to the whole network to which it is connected.
The aim of the threat group is to generate profits through the mining of cryptocurrency, helped by making use of servers with weak security. Recently, Cado Labs researchers uncovered an all-new hacking campaign, and after an analysis of the threat operator’s distinctive tactics, the team are confident that the WatchDog hacking group is behind it.
How the cryptojacking attacks works
The threat group launches its attacks by compromising Docker Engine API endpoints that are incorrectly configured with an open 2375 port, which delivers access to the daemon located under the default settings.
Once in, WatchDog can itemise or alter containers and then run shell commands of its choice on them. The initial shell script run by the hackers is “cronb.sh”. This checks out the host’s infection status and lists processes before fetching the second-stage payload script “ar.sh”.
This script employs command hijacking allowing hackers to execute a shell script that hides processes from users and security software. Additionally, the script performs timestamp manipulation on the shell execution logs to fool forensic experts.
This payload also includes a remover for Alibaba Cloud Agent that can disable security systems on a specific cloud service.
An XMRig miner-type payload is also launched on the vulnerable machine, and a system service unit is included to provide persistence capabilities. However, for all these steps to be successful, the leveraged user account must possess root privileges that the hackers can take advantage of.
The next payload deployed incorporates masscan, pnscan, and zgrab, to search networks for pivoting points that are valid before downloading the last two scripts that facilitate propagation, “d.sh” and “c.sh”.
These scripts are stored in a new directory marked “…” making it easy to miss during an inspection, as it looks like the alias used for the parent directory.
The “c.sh” script disables SELinux and then configures “iptables” and “ulimit”, establishing communication with any Redis servers on the network while simultaneously cutting all access from beyond the system.
The “d.sh” script works similarly but targets other Docker Engine API endpoints instead of Redis servers and infects them.
Evidence of WatchDog involvement
Several of the scripts utilised by WatchDog include references and logos of another hacking group called TeamTNT. This indicates that WatchDog most likely stole these tools from the rival.
Researchers studying the attack method over at Cado Labs have highlighted many strong points that resemble WatchDog’s cryptojacking campaign of 2021, like utilising the identical Monero wallet address for crypto mining, employing b2f628 type directory naming for URLs, the use of oracle zzhreceive[.]top domain and, for payload delivery, the use of 1.0.4.tar.gz.