The activity of the WatchBog has been monitored closely for the past year, and it appears that its operators are certainly not dormant. So far, the WatchBog botnet has been used to mine for Monero exclusively. As usual, the task is completed by planting a covert cryptocurrency miner on the compromised host, and then loading a configuration file with the wallet address, mining pool and miner settings. Naturally, the victim is kept in the dark, and all of the generated Monero coins get transferred to the attacker’s wallet. A recent update to the WatchBog botnet did not go unnoticed by security experts, and it appears that the criminals behind the project are planning to expand their operation by looking for new victims via the BlueKeep Windows vulnerability.

A CPU-Intensive Cryptocurrency Miner may Cause Performance Issues

What would be the consequences for you if you had the WatchBog’s miner running on your computer? If you use the PC to browse the Web simply, then it is unlikely that you will notice anything out of the ordinary. However, the moment you attempt to use a resource-heavy application (e.g., software for video or photo editing), you may encounter stability and performance issues immediately. This is because the Monero cryptocurrency miner that the WatchBog plants will consume as much CPU resources as possible for its mining purposes.

The initial infection vectors that the WatchBog’s operators use are very surprising – apparently, they contact companies and claim to be independent cyber-security contractors who offer to inspect their systems for security holes. However, instead of getting a cyber-security audit, the targets will have their computers become part of the WatchBog botnet. This means that every vulnerable and accessible host will be loaded with a cryptocurrency miner that works at all times, and is able to persist in case of a computer restart.

WatchBog Relies on Legitimate Services to Provide It with Configuration Data

Instead of using a traditional Command & Control server, the authors of the WatchBog botnet use an interesting trick – their payload will download its configuration from a pre-defined link. While this is unusual, it is certainly not a new strategy – many other cybercriminals have used online text-hosting services for the exact same purpose.

When the WatchBog’s Monero miner is executed, it will first eliminate all other cryptocurrency miner instances found on the infected host, therefore guaranteeing that no other software will cause any conflicts. Furthermore, WatchBog is able to spread laterally by using a wide range of exploits, as well as looking for unsecured SSH connections. To protect your company network from the WatchBog botnet and similar threats, you should invest in a reputable anti-virus product. In addition to this, you also should make sure to use the latest security patches and operating system updates to reduce the attacker’s chances of finding a security hole.


Most Viewed