Skip to main content

WatchDog Cryptojacking Campaign

Threat ID:
CC-3762
Category:
Miner
Threat Severity:
Low
Threat Vector:
Exploit
Published:
19 February 2021 11:33 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Affected platforms

The following platforms are known to be affected:

Windows and Unix-like cloud environments

Threat details

Introduction

WatchDog is a recently discovered cryptojacking campaign that mainly targets Windows and Unix-like cloud environments. The campaign is estimated to have been in operation since early 2019.

Delivery

WatchDog is delivered by exploiting a wide range of known vulnerabilities in commonly-used server software. Environments where security updates have not been applied are therefore most susceptible to compromise.

Activities

WatchDog is mainly programmed in the Go language, which enables its use across different operating systems. When a system is compromised a script is first run to remove cloud security tools, terminate other mining processes and install the WatchDog toolkit.

WatchDog includes multiple processes:

  • A network scanner to identify further vulnerable systems and attempt compromise
  • A system monitoring module to ensure that the mining software continues to run
  • A miner based on XMRig to obtain the Monero cryptocurrency

Remediation advice

To prevent and detect an infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Network indicators

Domains:

  • de.gengine[.]com.de
  • de.gsearch[.]com.de
  • global.bitmex[.]com.de
  • ipzse[.]com
  • py2web[.]store
  • sjjjv[.]xyz
  • us.gsearch[.]com.de

URLs:

  • hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/bsh.sh
  • hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/config.json
  • hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/sysupdate
  • hxxp://107.173.159[.]206:8880/tatavx1hym9z928m/update.sh
  • hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/config.json
  • hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/networkservice
  • hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/sysguard
  • hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/sysupdate
  • hxxp://146.71.79[.]230/363A3EDC10A2930DVNICE/update.sh
  • hxxp://176.123.10[.]57/cf67356/config.json
  • hxxp://176.123.10[.]57/cf67356/networkmanager
  • hxxp://176.123.10[.]57/cf67356/newinit.sh
  • hxxp://176.123.10[.]57/cf67356/phpguard
  • hxxp://176.123.10[.]57/cf67356/zzh
  • hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/config.json
  • hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/networkservice
  • hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/sysguard
  • hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/sysupdate
  • hxxp://185.181.10[.]234/E5DB0E07C3D7BE80V520/update.sh
  • hxxp://185.232.65[.]124/update.sh
  • hxxp://185.232.65[.]191/cf67356/config.json
  • hxxp://185.232.65[.]191/cf67356/newinit.sh
  • hxxp://185.232.65[.]191/cf67356/zzh
  • hxxp://185.232.65[.]191/config.json
  • hxxp://185.232.65[.]191/trace
  • hxxp://185.232.65[.]191/update.sh
  • hxxp://185.232.65[.]192/cf67356/networkmanager
  • hxxp://185.232.65[.]192/cf67356/phpguard
  • hxxp://185.232.65[.]192/config.json
  • hxxp://185.232.65[.]192/trace
  • hxxp://185.247.117[.]64/cf67356/config.json
  • hxxp://185.247.117[.]64/cf67356/networkmanager
  • hxxp://185.247.117[.]64/cf67356/newdat.sh
  • hxxp://185.247.117[.]64/cf67356/phpguard
  • hxxp://185.247.117[.]64/cf67356/phpupdate
  • hxxp://198.98.57[.]187/config.json
  • hxxp://198.98.57[.]187/trace
  • hxxp://198.98.57[.]187/update.sh
  • hxxp://204.44.105[.]168:66/config.json
  • hxxp://204.44.105[.]168:66/networkmanager
  • hxxp://204.44.105[.]168:66/newdat.sh
  • hxxp://204.44.105[.]168:66/phpguard
  • hxxp://204.44.105[.]168:66/phpupdate
  • hxxp://205.209.152[.]78:8000/sysupdate
  • hxxp://205.209.152[.]78:8000/update.sh
  • hxxp://209.182.218[.]161:80/363A3EDC10A2930D/config.json
  • hxxp://209.182.218[.]161:80/363A3EDC10A2930D/networkservice
  • hxxp://209.182.218[.]161:80/363A3EDC10A2930D/sysguard
  • hxxp://209.182.218[.]161:80/363A3EDC10A2930D/sysupdate
  • hxxp://209.182.218[.]161:80/363A3EDC10A2930D/update.sh
  • hxxp://39.100.33[.]209/b2f628/config.json
  • hxxp://39.100.33[.]209/b2f628/newinit.sh
  • hxxp://39.100.33[.]209/b2f628/zzh
  • hxxp://39.100.33[.]209/b2f628fff19fda999999999/is.sh
  • hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/config.json
  • hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/networkservice
  • hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/sysguard
  • hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/sysupdate
  • hxxp://45.153.240[.]58/N3DN0E09C5D9BU70V1720/update.sh
  • hxxp://45.9.148[.]37/cf67356a3333e6999999999/1.0.4.tar.gz
  • hxxp://45.9.148[.]37/cf67356a3333e6999999999/config.json
  • hxxp://45.9.148[.]37/cf67356a3333e6999999999/is.sh
  • hxxp://45.9.148[.]37/cf67356a3333e6999999999/networkmanager
  • hxxp://45.9.148[.]37/cf67356a3333e6999999999/newdat.sh
  • hxxp://45.9.148[.]37/cf67356a3333e6999999999/phpguard
  • hxxp://45.9.148[.]37/cf67356a3333e6999999999/phpupdate
  • hxxp://47.253.42[.]213/b2f628/config.json
  • hxxp://47.253.42[.]213/b2f628/newinit.sh
  • hxxp://47.253.42[.]213/b2f628/zzh
  • hxxp://82.202.66[.]50/cf67356/config.json
  • hxxp://82.202.66[.]50/cf67356/networkmanager
  • hxxp://82.202.66[.]50/cf67356/newinit.sh
  • hxxp://82.202.66[.]50/cf67356/phpguard
  • hxxp://82.202.66[.]50/cf67356/zzh
  • hxxp://83.97.20[.]90/cf67356/config.json
  • hxxp://83.97.20[.]90/cf67356/networkmanager
  • hxxp://83.97.20[.]90/cf67356/newinit.sh
  • hxxp://83.97.20[.]90/cf67356/phpguard
  • hxxp://83.97.20[.]90/cf67356/zzh
  • hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/config.json
  • hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/networkservice
  • hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/sysguard
  • hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/sysupdate
  • hxxp://93.115.23[.]117/N3DN0E09C5D9BU70V1720/update.sh
  • hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/config.json
  • hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/networkservice
  • hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/Saltmin.sh
  • hxxp://95.182.122[.]199/E5DB0E07C3D7BE80V52/sysupdate
  • hxxp://95.182.122[.]199/init.sh
  • hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/config.json
  • hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/is.sh
  • hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/networkmanager
  • hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/newdat.sh
  • hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/phpguard
  • hxxp://global.bitmex[.]com[.]de/cf67355a3333e6/phpupdate
  • hxxp://py2web[.]store/7356a3333e6999999999/networkmanager
  • hxxp://py2web[.]store/7356a3333e6999999999/phpguard
  • hxxp://py2web[.]store/cf67356/config.json
  • hxxp://py2web[.]store/cf67356/newinit.sh
  • hxxp://py2web[.]store/cf67356/zzh
  • hxxp://xmr.ipzse[.]com:66/bd.sh
  • hxxp://xmr.ipzse[.]com:66/config.json
  • hxxp://xmr.ipzse[.]com:66/is.sh
  • hxxp://xmr.ipzse[.]com:66/networkmanager
  • hxxp://xmr.ipzse[.]com:66/newdat.sh
  • hxxp://xmr.ipzse[.]com:66/phpguard
  • hxxp://xmr.ipzse[.]com:66/phpupdate
  • hxxp://xmr.ipzse[.]com:66/rs.sh
  • hxxps://de.gengine[.]com[.]de/api/config.json
  • hxxps://de.gengine[.]com[.]de/api/networkservice
  • hxxps://de.gengine[.]com[.]de/api/sysguard
  • hxxps://de.gengine[.]com[.]de/api/sysupdate
  • hxxps://de.gengine[.]com[.]de/api/update.sh
  • hxxps://de.gsearch[.]com[.]de/api/config.json
  • hxxps://de.gsearch[.]com[.]de/api/networkservice
  • hxxps://de.gsearch[.]com[.]de/api/sysguard
  • hxxps://de.gsearch[.]com[.]de/api/sysupdate
  • hxxps://de.gsearch[.]com[.]de/api/update.sh
  • hxxps://sjjjv[.]xyz/sysupdate
  • hxxps://sjjjv[.]xyz/update.sh
  • hxxps://us.gsearch[.]com[.]de/api/config.json
  • hxxps://us.gsearch[.]com[.]de/api/networkservice
  • hxxps://us.gsearch[.]com[.]de/api/sysguard
  • hxxps://us.gsearch[.]com[.]de/api/sysupdate
  • hxxps://us.gsearch[.]com[.]de/api/update.sh

IP addresses:

  • 39.100.33[.]209
  • 45.153.240[.]58
  • 45.9.148[.]37
  • 93.115.23[.]117
  • 95.182.122[.]199
  • 106.15.74[.]113
  • 107.173.159[.]206
  • 146.71.79[.]230
  • 185.181.10[.]234
  • 185.232.65[.]124
  • 185.232.65[.]191
  • 185.232.65[.]192
  • 185.247.117[.]64
  • 198.98.57[.]187
  • 199.19.226[.]117
  • 204.44.105[.]168
  • 205.209.152[.]78
  • 208.109.11[.]21
Host indicators

File hashes (SHA-256):

  • 0a48bd0d41052c1e3138d558fc06ebde8d6f15b8d866200b8f00b214a73eb5b9
  • 0c4aa6afd2a81fd15f3bd65adcbd4f649fbc58ef12dd2d528125435169555901
  • 1f65569b77f21f47256db339700b4ff33b7570e44e1981b5c213b7b2e65b0f6c
  • 2b52288383588f65803a5dc9583171103be79f0b196d01241b5cd3a8cf69b190
  • 2eeac2b9577047a9eef2d164c13ace5e826ac85990a3a915871d6b0c2fc8fe67
  • 2f642efdf56b30c1909c44a65ec559e1643858aaea9d5f18926ee208ec6625ed
  • 37492d1897f77371f2eb431b9be7c861b81e97f04a091d8c6d63719171eda2ac
  • 3ab7cf786eeb23ebd11e86e0fc48b0a9b37a427d5d730d774c9ed8d98a925c6f
  • 43d7b29668786731f1bbbb3ae860487e84604195b186c1b7b253f99156d7f57a
  • 49366ae4766492d94136ca1f715a37554aa6243686c66bf3c6fbb9da9cb2793d
  • 51de345f677f46595fc3bd747bfb61bc9ff130adcbec48f3401f8057c8702af9
  • 55c92d64ffa9d170e340e0528dc8ea1fa9be98f91db891869947c5b168a728c8
  • 55dd539d8fe94648294e91df89b005f1dba330b432ceda25775963485bae7def
  • 67d0f77adf98ac34a6db78110c78652a9b7f63e22ae5ab7df4f57d3413e48822
  • 68cedf2a018c0830655dc9bb94aadf6492ab31196cbc83ceb44defae0a02d3dc
  • 6a7109481e113fd92ff98534e780f47a32b64bfa5692f7bd7da33c84033a9028
  • 758dbfda2b7d2e97caba294089c4c836ab447d7c9ceef510c667526fd873e161
  • 80b1a70d7ec5d1944787afff3c2feac3aa40ec8c64177886481d96623bc786bf
  • 818c16d1921572ffee6853c16c5c9158d2f217b6adbb5154cbb7daf945db493c
  • 82815c61402cfc0edd6ce3be37848259711ef07e3391e74c85fbdaa676d95c0c
  • 849f86a8fd06057eeb1ae388789881516239282dd4cb079b8281f995035874e1
  • 895e994dafaa00009a46f3b56ca0d563e066a14e77f5030b1331fc9b3f9f6478
  • 96fe63c25e7551a90051431aeddb962f05d82b7dd2940c0e8e1282273ba81e22
  • a322dc6af6fed1326b04ec966e66b68dd8ef22374edd286569710afc65ccc741
  • ac719447894b2f5029f493c7395d128f710a3ba7b31c199558f3ee00fb90ea12
  • ad05d09e6ed4bd09fe1469e49885c5169458635a1a33f2579cb7caa221b43fce
  • b6a5790a9bfaf159af68c4dbb09de9c2c0c2371c886fdb28223d40e6984b1dd7
  • bd3506b86452d46d395b38aa807805097da1291c706318b5fe970fe4b20f5406
  • c67881c1f05477939b8964ad26f1a467762a19c2c7d1a1656b338d8113ca1ac1
  • c8ca3ab0ae00a1bf197086370ab5994264ac5bc1fcf52b2ddf8c9fcacc4402ff
  • d54157bb703b360bb911363d9bb483a2ee00ee619d566d033a8c316f06cf26cc
  • d6cf2d54e3bb564cb15638b58d2dd124ae7acd40e05af42d1bdc0588a8d5211d
  • e3cbb08913493e54d74081349972423444cbc0f4853707b84409131d19cad15b
  • e7446d595854b6bac01420378176d1193070ef776788af12300eb77e0a397bf7
  • ed1e49cb05c375cc1149c349880ed077b6ee75cb7e5c6cae9cbd4bd086950c93

Last edited: 19 February 2021 12:38 pm