IS experts discover BlueKeep-vulnerabilities scanner in Watchbog cryptominer: How to prevent?

by Brendan Smith
July 25, 2019

The new version of Watchbog malware is able to look for vulnerable to BlueKeep Windows system, says Intezer Labs report.

In the past, malware was used to infect Linux-based servers using exploits for vulnerabilities in Jira, Exim, Nexus Repository Manager 3, ThinkPHP and Solr Linux.

“Among the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to third party vendors for profit”, — report Intezer Labs specialists.

BlueKeep affects Remote Desktop Services, formerly known as Terminal Services. This vulnerability does not require authorization or any user interaction. In other words, it is “worm-like”, that is, it allows malware to spread from computer to computer just as the WannaCry malware spread throughout the world in 2017.

The BlueKeep scanner included in WatchBog is a modified version of the scanner written in Python, designed to find remote code execution vulnerability (CVE-2019-0708) in RDP. After running on an infected device, the scanner starts checking all IP addresses from the list received from the C&C server.

When the scan is complete, Watchbog sends the list of vulnerable hosts to the C&C server. Researchers believe that intruders collect information about vulnerable systems for use in further attacks or sales to third parties.

Read also: A Cumulative Update For Windows 10 Causes A Failure In The Notification System

In addition to exploits for vulnerabilities in Jira, Exim, Nexus Repository Manager 3, Solr Linux and Jenkins, experts found two modules for brute-force installations of CouchDB and Redis and remote code execution.

Previously, on GitHub was published a detailed technical analysis of BlueKeep, as well as an incomplete PoC code for attacks on systems running Windows XP.

Prevention and Response

  • We recommend to update your relevant software to its latest version.
  • We suggest Windows users refer to Microsoft’s customer guidance in order to mitigate the BlueKeep vulnerability.
  • We suggest Linux users, who use Exim, Jira, Solr, Jenkins or Nexus Repository Manager 3, to update to the latest versions.
  • We suggest Linux users, who use Redis or CouchDB, to ensure that there are no open ports that are exposed outside of trusted networks.
  • We recommend Linux users who suspect that they are infected with WatchBog to check for the existence of the “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” file.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Cybersecurity analyst with 15+ years digging into malware and threats, from early days reverse-engineering trojans to leading incident responses for mid-sized firms.

At Gridinsoft, I handle peer-reviewed breakdowns of stuff like AsyncRAT ransomware—last year, my guides helped flag 200+ variants in real scans, cutting cleanup time by 40% for users. Outside, I write hands-on tutorials on howtofix.guide, like step-by-step takedowns of pop-up adware using Wireshark and custom scripts (one post on VT alternatives got 5k reads in a month).

Certified CISSP and CEH, I’ve run webinars for 300+ pros on AI-boosted stealers—always pushing for simple fixes that stick, because nobody has time for 50-page manuals. Tools of the trade: Splunk for hunting, Ansible for automation, and a healthy dose of coffee to outlast the night shifts.

View all posts

Leave a Reply

Sending