WatchBog is a recently discovered malware trojan variant used to infect Linux servers, resulting in a cryptomining botnet. The malware has compiled various tactics and is now capable of scanning compromised Linux servers for Windows systems that are vulnerable to BlueKeep exploits. After being launched on the infected machine, Watchbog's BlueKeep RDP protocol vulnerability scanner will immediately start searching IP addresses from a list delivered by the malware's command-and-control (C2) server. Researchers believe this itemized list of vulnerable devices will be used in the near future, either by the WatchBog creator, or to sell to a third party for profit. WatchBog is undetectable by security software at this time. BlueKeep has potential to self-replicate and is similar to EternalBlue, which enabled the WannaCry attack in 2017. The WatchBog client includes five exploits for the following vulnerabilities: Jira, Exim, Solr, Jenkins, and Nexus Repository Manager 3.

Technical Details and Reporting

  • For technical analysis and IOCs please review Intezer’s blog post.

  • Bleeping Computer provides further reporting here.