Linux Botnet Adding BlueKeep-Flawed Windows RDP Servers to Its Target List

Cybersecurity researchers have discovered a new variant of WatchBog, a Linux-based cryptocurrency mining malware botnet, which now also includes a module to scan the Internet for Windows RDP servers vulnerable to the Bluekeep flaw.

BlueKeep is a highly-critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Services that could allow an unauthenticated remote attacker to take full control over vulnerable systems just by sending specially crafted requests over RDP protocol.

Though the patches for the BlueKeep vulnerability (CVE–2019-0708) was already released by Microsoft in May this year, more than 800,000 Windows machines accessible over the Internet are still vulnerable to the critical flaw.

Fortunately, even after many individuals in the security community developed working remote code exploits for BlueKeep, there is no public proof-of-concept (PoC) exploit available till the date, potentially preventing opportunistic hackers from wreaking havoc.

However, cybersecurity firm Immunity just yesterday released an updated version of its commercial automated vulnerability assessment and penetration testing (VAPT) tool, CANVAS 7.23, which includes a new module for the BlueKeep RDP exploit.

It appears the attackers behind WatchBog are using their botnet network to prepare “a list of vulnerable systems to target in the future or to sell to third party vendors for profit,” warned the researchers from Intezer Lab, who discovered the new WatchBog variant.

> “The incorporation of the BlueKeep scanner by a Linux botnet may indicate WatchBog is beginning to explore financial opportunities on a different platform,” the researchers said.

The BlueKeep scanner included in WatchBog scans the Internet and then submits the list of newly discovered RDP hosts, as a hexadecimal data string encrypted using RC4, to the attacker-controlled servers.

According to the researcher, the new WatchBog variant has already compromised more than 4,500 Linux machines in the last two months.

Although WatchBog is operating since late last year, attackers are distributing its new variant in an ongoing campaign active since early June this year.

The newly-discovered WatchBog variant includes a new spreading module along with exploits for some recently patched vulnerabilities in Linux applications, allowing attackers to find and compromise more Linux systems rapidly.

The WatchBog Linux botnet malware contains several modules, as structurally briefed below, which leverages recently patched vulnerabilities in Exim, Jira, Solr, Jenkins, ThinkPHP and Nexus applications to compromise Linux machines.

Pwn Module

• CVE-2019-11581 (Jira)
• CVE-2019-10149 (Exim)
• CVE-2019-0192 (Solr)
• CVE-2018-1000861 (Jenkins)
• CVE-2019-7238 (Nexus Repository Manager 3)

Scanning Module

• BlueKeep Scanner
• Jira Scanner
• Solr Scanner

Brute-forcing Module

• CouchDB instances
• Redis instances

Spreading Module

• Apache ActiveMQ (CVE-2016-3088)
• Solr (CVE-2019-0192)
• Code Execution over Redis

After scanning and brute-forcing modules discover a Linux machine running the vulnerable application, WatchBog deploys a script on the targeted machine to download Monero miner modules from Pastebin website.

The malicious script then also gains persistence on the infected system via crontab and further downloads a new spreader module, which comes in the form of a dynamically linked Cython-compiled ELF executable.

Researchers have recommended Linux and Windows administrators to keep their software and operating systems up-to-date against known vulnerabilities in order to prevent themselves from being a victim of such attack campaigns.

You can find if WatchBog has infected your Linux machine by checking the existence of the “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” file on your system.