Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Crypto

WatchDog’s new multi-stage cryptojacking attack unsurfaced

Christi Rogalski by Christi Rogalski
June 11, 2022
in Crypto, Security
0
WatchDog Targets Docker Containers
75
SHARES
1.2k
VIEWS
Share on FacebookShare on Twitter

Cado Security’s honeypot has recently captured a rather interesting cryptojacker from what they believe to be the WatchDog hacking group. They note that although the attack’s life cycle has many instances where TeamTNT’s payloads are used to execute various attacks, it is also very likely that it’s just a new campaign from WatchDog – a TeamTNT competitor – one previously known to use TeamTNT payloads to mount attacks.

You might also like

Downthem DDoS service owner gets a 2-year prison sentence

Cloudflare Stops Record-Breaking DDoS

Chrome Browser Extension Vytal Prevents Privacy Leaks

They have referenced Palo Alto’s Unit42’s findings back in October 2021 which documented how a TeamTNT-transpired cryptojacking malware campaign was likely incorrectly attributed to TeamTNT and was a WatchDog campaign entirely.

Many characteristics that were found in that attack were also found in this attack, including:

  • The usage of the oracle.zzhreceive[.]top domain
  • The usage of the b2f628 directory naming in the URLs
  • The usage of 43Xbg…-prefixed Monero wallet address
  • The usage of the 1.0.4.tar.gz Compile on Delivery payload
  • The avoidance of the usage of Golang payloads associated with Watchdog

Not everything is exactly the same which is to be expected as this is likely a new campaign, Cado Security notes.

The malware is designed to propagate like a worm and even includes a method to possibly compromise honeypots. Many scripts or payloads are quite similar and target Docker containers specifically.

WatchDog’s attack cycle

The Cado honeypot has documented the entire life cycle of the cryptojacking malware campaign by WatchDog. The initial access is made via the Docker Engine API and affected misconfigured endpoints within. Then, depending on whether or not the user is root, different scripts are loaded to process payloads.

WatchDog's Attack Life cycle
Attack Life Cycle, source: Cado Security

The attack is multi-stage and invokes many “interesting” functions including the clmo() function that hints, Cado believes, at a potentially repurposed code – from something that was aimed to target Linux servers and not specifically Docker containers.

This was, however, not the only instance of functions that hint at this. For example, the Alibaba Cloud Agent Removal process hints that the code was actually written to target Alibaba Cloud Linux servers and not Docker containers.

Throughout the attack cycle, a few of the many sophisticated techniques deployed by the malicious code include timestomping, exploitation of misconfigured Redis databases, and process hiding.

Cado’s report lists the indicators of a compromised system with filenames and their SHA256 hashes, URLs, and wallet IDs.

What are honeypots and how do they work?

Honeypots are used to detect, track, and analyze unauthorized access attempts against your network. Honeypots allow you to identify attacks that were unsuccessful due to the honeypot’s presence. They also provide valuable insight into the attacker’s motives and methods of attack.

A honeypot is a system, server, or device that is set up to mimic the key elements of an actual system in order to lure in attackers and study their behavior. The goal is to learn more about the attacker, who they are, and what they are doing. Honeypots can be used to track illicit activities, such as cyber threats, spam attacks, theft of personal data, and corporate espionage.

Honeypots are often used in tandem with other network security tools such as firewalls and intrusion detection systems (IDS). When deployed together, these tools can provide comprehensive security coverage for organizations large or small.

Honeypots work by luring attackers into thinking they have found an easy target for criminal activity. Once an attacker has been lured into attacking the “honeypot,” they can be monitored while they attempt to steal information or damage your network. The information gleaned from these attacks can help you understand how attackers work so you can better protect yourself against them in the future.

Tags: CryptojackingDockerWatchDog
Share30Tweet19
Christi Rogalski

Christi Rogalski

Christi began her InfoSec carrier at the Illinois Institute of Technology where she received her Bachelor of Science degree in Applied Cybersecurity and Information Technology. Her passions include learning about new threats in the security world, investing, and playing with her dog, Pablo.

Recommended For You

Downthem DDoS service owner gets a 2-year prison sentence

by Christi Rogalski
June 30, 2022
0
Downthem DDoS Service owner sentenced

Matthew Gatrel, a resident of St. Charles, Illinois, has been sentenced to two years in prison for violating the Computer Fraud and Abuse Act (CFAA). The 33-year-old was...

Read more

Cloudflare Stops Record-Breaking DDoS

by Christi Rogalski
June 29, 2022
0
Cloudflare record breaking DDoS

Cloudflare has reported that it successfully neutralized the largest recorded DDoS attack in history. The attack, a 26 million request per second onslaught, targeted a customer on the...

Read more

Chrome Browser Extension Vytal Prevents Privacy Leaks

by Christi Rogalski
June 19, 2022 - Updated on June 20, 2022
0
Vytal Chrome Extension spoofs location data

Released in 2008, Google Chrome is a cross-platform web browser. With over 3.2 billion internet users worldwide, there's no denying that Chrome is the most popular browser today....

Read more

$6 million Rewarded by Aurora Labs to Hacker who saved 70,000 ETH

by Paul Anderson
June 14, 2022
0
Aurora Labs awards $6 Million dollar bug bounty

According to a recent report, Aurora Labs has paid a total of 6 million USD to Pwning.eth. Pwning.eth, an ethical hacker, discovered a serious vulnerability in Aurora's network...

Read more

State-sponsored Iranian Hackers utilize .NET DNS Backdoor in new Attack

by Kyle
June 12, 2022
0
Lycaeum APT DNS hijacking backdoor

An Advanced Persistent Threat (APT) hacking group based out of Iran going by the name Lycaeum has been seen using a .NET-based DNS backdoor to target organizations within...

Read more
Next Post
Lycaeum APT DNS hijacking backdoor

State-sponsored Iranian Hackers utilize .NET DNS Backdoor in new Attack

Related News

Google Chrome Extension fingerprinting source

Google Chrome exposes user extensions to fingerprinting

July 1, 2022
Downthem DDoS Service owner sentenced

Downthem DDoS service owner gets a 2-year prison sentence

June 30, 2022
Cloudflare record breaking DDoS

Cloudflare Stops Record-Breaking DDoS

June 29, 2022
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
    • Tools
  • Data Breaches
  • Malware
  • Privacy
  • Contact Us

© 2022 ZeroSecurity, All Rights Reserved.