A new malicious attack against Jira and Exim servers has been launched. The purpose of the attack is to infect the targeted servers with the so-called Watchbog Linux Trojan. Infected hosts become part of a botnet which is mining for Monero cryptocurrency.
More about Watchbog Linux Trojan
The Watchbog malware campaign is targeted against Linux servers and is exploiting vulnerable software such as Jenkins, Nexus Repository Manager 3, ThinkPHP, and Linux Supervisord. The malicious campaign is also leveraging Exim and Jira vulnerabilities, such as CVE-2019-10149.
The latter is a critical security vulnerability in the Exim mail transfer agent (MTA) software. The flaw is located in Exim versions 4.87 to 4.91 included, and is described as improper validation of recipient address in deliver_message() function in /src/deliver.c which could lead to remote command execution. The flaw enables attackers to execute commands as root.
At least 1,610,000 Exim servers vulnerable to the attack
A Shodan search indicates that there are at least 1,610,000 vulnerable Exim servers that are endangered by this attack. In addition, a total of 54,000 Atlassian Jira servers are also vulnerable, as indicated by BinaryEdge data.
The Watchdog attack can be quite catastrophic as the current variant is detected by only 2 of all VirusTotal engines.
The end goal of the attack is to drop a Monero crypto miner. The malware also gains persistence on infected hosts thus becoming very difficult to remove. Once the vulnerable servers are breached, the Watchdog malware will initiate the Monero cryptocurrency miner payload.
This variant of Watchbog is also using the minexmr.com mining pool, as did its previous versions.
What is mostly notable about this version of the malware is that the malicious script it uses to drop the crypto miner on compromised Linux servers also includes a contact note. This is what the note states:
#This is the Old-ReBuild Lady job copy
# The goal of this campaign is as follows;
# – To keep the internet safe.
# – To keep them hackers from causing real damage to organisations.
# – We know you feel We are a potential threat, well We ain’t.
# – We want to show how tiny vulns could lead to total disaters.
# – We know you feel We are Hypocrite’s, because we mine. Well if we don’t how the hell we gonna let you know we are in.
# – Please We plead to evey one out there don’t sabotage this campaign (We want to keep the internet safe).
# – Sometimes you gotta break the rules to make them.
#1) We only Wanna Mine.
#2) We don’t want your data, or anything or even a ransom.
#3) Please if you find this code, don’t post about it.
#4) We make your security better by breaking it.
#1) If your server get’s infected:
# – We will provide cleanup script.
# – We will share source of entry into your servers and patch (surely).
# – Please if you contacting, please send your affected server’s ip and services your run on the server.
# – lets talk jeff4r-partner[@]tutanota.com or jeff4r-partner[@]protonmail.com
#2) If you want to partner with us ?.
# – Well nothing to say.
#1) We don’t have access to Jeff4r190[@]tutanota.com anymore.