Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Crypto

WatchDog’s new multi-stage cryptojacking attack unsurfaced

Christi Rogalski by Christi Rogalski
June 11, 2022
in Crypto, Security
0
WatchDog Targets Docker Containers
75
SHARES
1.3k
VIEWS
Share on FacebookShare on Twitter

Cado Security’s honeypot has recently captured a rather interesting cryptojacker from what they believe to be the WatchDog hacking group. They note that although the attack’s life cycle has many instances where TeamTNT’s payloads are used to execute various attacks, it is also very likely that it’s just a new campaign from WatchDog – a TeamTNT competitor – one previously known to use TeamTNT payloads to mount attacks.

You might also like

BreachForums Owner Arrested and Charged

ChipMixer platform tied to crypto laundering scheme – seized by authorities

Stolen credit card market BidenCash leaks over 2 million credit cards

They have referenced Palo Alto’s Unit42’s findings back in October 2021 which documented how a TeamTNT-transpired cryptojacking malware campaign was likely incorrectly attributed to TeamTNT and was a WatchDog campaign entirely.

Many characteristics that were found in that attack were also found in this attack, including:

  • The usage of the oracle.zzhreceive[.]top domain
  • The usage of the b2f628 directory naming in the URLs
  • The usage of 43Xbg…-prefixed Monero wallet address
  • The usage of the 1.0.4.tar.gz Compile on Delivery payload
  • The avoidance of the usage of Golang payloads associated with Watchdog

Not everything is exactly the same which is to be expected as this is likely a new campaign, Cado Security notes.

The malware is designed to propagate like a worm and even includes a method to possibly compromise honeypots. Many scripts or payloads are quite similar and target Docker containers specifically.

WatchDog’s attack cycle

The Cado honeypot has documented the entire life cycle of the cryptojacking malware campaign by WatchDog. The initial access is made via the Docker Engine API and affected misconfigured endpoints within. Then, depending on whether or not the user is root, different scripts are loaded to process payloads.

WatchDog's Attack Life cycle
Attack Life Cycle, source: Cado Security

The attack is multi-stage and invokes many “interesting” functions including the clmo() function that hints, Cado believes, at a potentially repurposed code – from something that was aimed to target Linux servers and not specifically Docker containers.

This was, however, not the only instance of functions that hint at this. For example, the Alibaba Cloud Agent Removal process hints that the code was actually written to target Alibaba Cloud Linux servers and not Docker containers.

Throughout the attack cycle, a few of the many sophisticated techniques deployed by the malicious code include timestomping, exploitation of misconfigured Redis databases, and process hiding.

Cado’s report lists the indicators of a compromised system with filenames and their SHA256 hashes, URLs, and wallet IDs.

What are honeypots and how do they work?

Honeypots are used to detect, track, and analyze unauthorized access attempts against your network. Honeypots allow you to identify attacks that were unsuccessful due to the honeypot’s presence. They also provide valuable insight into the attacker’s motives and methods of attack.

A honeypot is a system, server, or device that is set up to mimic the key elements of an actual system in order to lure in attackers and study their behavior. The goal is to learn more about the attacker, who they are, and what they are doing. Honeypots can be used to track illicit activities, such as cyber threats, spam attacks, theft of personal data, and corporate espionage.

Honeypots are often used in tandem with other network security tools such as firewalls and intrusion detection systems (IDS). When deployed together, these tools can provide comprehensive security coverage for organizations large or small.

Honeypots work by luring attackers into thinking they have found an easy target for criminal activity. Once an attacker has been lured into attacking the “honeypot,” they can be monitored while they attempt to steal information or damage your network. The information gleaned from these attacks can help you understand how attackers work so you can better protect yourself against them in the future.

Tags: CryptojackingDockerWatchDog
Share30Tweet19
Christi Rogalski

Christi Rogalski

Christi began her InfoSec carrier at the Illinois Institute of Technology where she received her Bachelor of Science degree in Applied Cybersecurity and Information Technology. Her passions include learning about new threats in the security world, investing, and playing with her dog, Pablo.

Recommended For You

BreachForums Owner Arrested and Charged

by Paul Anderson
March 17, 2023
0
BreachForums Owner Arrested and Charged

On Wednesday afternoon, federal agents arrested a man in Peekskill, New York, for allegedly running a dark web data breach site known as "BreachForums." The suspect, Conor Brian...

Read more

ChipMixer platform tied to crypto laundering scheme – seized by authorities

by Paul Anderson
March 17, 2023
0
ChipMixer platform tied to crypto laundering scheme – seized by authorities

A coalition of law enforcement agencies from Europe and the United States have announced the successful takedown of ChipMixer, an unlicensed cryptocurrency mixer that has been operating since...

Read more

Stolen credit card market BidenCash leaks over 2 million credit cards

by Paul Anderson
March 3, 2023
0
Stolen credit card market BidenCash leaks over 2 million credit cards

BidenCash, a marketplace that focuses on carding, has leaked a database of 2,165,700 credit and debit cards to celebrate its first anniversary. Instead of keeping the leak a...

Read more

$1 Million+ USD stolen from Algorand users

by Kyle
February 22, 2023
0
$1 Million+ USD stolen from Algorand users

On Monday evening, the Twitter account Algo Surf reported that several Algorand accounts had been hacked, with at least three users losing significant amounts of funds. The value...

Read more

Cloudflare Stops Record-Breaking DDoS

by Christi Rogalski
June 29, 2022
1
Cloudflare record breaking DDoS

Cloudflare has reported that it successfully neutralized the largest recorded DDoS attack in history. The attack, a 26 million request per second onslaught, targeted a customer on the...

Read more
Next Post
Lycaeum APT DNS hijacking backdoor

State-sponsored Iranian Hackers utilize .NET DNS Backdoor in new Attack

Related News

BreachForums Owner Arrested and Charged

BreachForums Owner Arrested and Charged

March 17, 2023
ChipMixer platform tied to crypto laundering scheme – seized by authorities

ChipMixer platform tied to crypto laundering scheme – seized by authorities

March 17, 2023
NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.