The new version of Watchbog malware is able to look for vulnerable to BlueKeep Windows system, says Intezer Labs report.
In the past, malware was used to infect Linux-based servers using exploits for vulnerabilities in Jira, Exim, Nexus Repository Manager 3, ThinkPHP and Solr Linux.“Among the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to third party vendors for profit”, — report Intezer Labs specialists.
BlueKeep affects Remote Desktop Services, formerly known as Terminal Services. This vulnerability does not require authorization or any user interaction. In other words, it is “worm-like”, that is, it allows malware to spread from computer to computer just as the WannaCry malware spread throughout the world in 2017.
The BlueKeep scanner included in WatchBog is a modified version of the scanner written in Python, designed to find remote code execution vulnerability (CVE-2019-0708) in RDP. After running on an infected device, the scanner starts checking all IP addresses from the list received from the C&C server.
When the scan is complete, Watchbog sends the list of vulnerable hosts to the C&C server. Researchers believe that intruders collect information about vulnerable systems for use in further attacks or sales to third parties.
Read also: A Cumulative Update For Windows 10 Causes A Failure In The Notification System
In addition to exploits for vulnerabilities in Jira, Exim, Nexus Repository Manager 3, Solr Linux and Jenkins, experts found two modules for brute-force installations of CouchDB and Redis and remote code execution.
Previously, on GitHub was published a detailed technical analysis of BlueKeep, as well as an incomplete PoC code for attacks on systems running Windows XP.
Prevention and Response
- We recommend to update your relevant software to its latest version.
- We suggest Windows users refer to Microsoft’s customer guidance in order to mitigate the BlueKeep vulnerability.
- We suggest Linux users, who use Exim, Jira, Solr, Jenkins or Nexus Repository Manager 3, to update to the latest versions.
- We suggest Linux users, who use Redis or CouchDB, to ensure that there are no open ports that are exposed outside of trusted networks.
- We recommend Linux users who suspect that they are infected with WatchBog to check for the existence of the “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” file.