Crypocurrency mining is once again at its peak. WatchDog, a mining malware which has been around for at least a couple of years, is one the of largest and longest-lasting Monero-mining operations so far. The operation is ongoing, and due to its size, it’s challenging to encompass it, Unit 42 (Palo Alto) researchers said.
The operation is called WatchDog, taken from the name of a Linux daemon called watchdogd. The WatchDog mining operation has been running since Jan. 27, 2019, and has collected at least 209 Monero (XMR), valued to be around $32,056 USD. Researchers have determined that at least 476 compromised systems, composed primarily of Windows and NIX cloud instances, have been performing mining operations at any one time for over two years, the report noted.
WatchDog Monero Miner: Some Technical Details
- Composed of a three-part Go Language binary set and a bash of PowerShell script file;
- Each binary performs a specific functionality;
- The mining operation is initiated by the third Go binary script on either Windows or NIX OS.
“WatchDog’s usage of Go binaries allows it to perform the stated operations across different operating systems using the same binaries, i.e. Windows and NIX, as long as the Go Language platform is installed on the target system,” the Unit42 team added.
The WatchDog mining operation is in the hands of capable coders, since it’s been flying under the radar for so long. The researchers warn that cloud account compromise activity could be added to the operation, as the threat actors could easily discover IAM-related details on the already affected cloud systems. This is possible because of the root and admin access acquired during the implementation of the miner.
It is noteworthy that in 2019 researchers detected a miner carrying a similar name, Watchbog.
The Watchbog campaign was targeting Linux servers, exploiting vulnerable software, such as Jenkins, Nexus Repository Manager 3, ThinkPHP, and Linux Supervisord. The malicious campaign previously was leveraging Exim and Jira vulnerabilities, such as CVE-2019-10149. In 2019, a Shodan search indicated that at least 1,610,000 vulnerable Exim servers were at risk. In addition, a total of 54,000 Atlassian Jira servers were also vulnerable, as indicated by BinaryEdge data.