Cryptojacking Group WatchDog Attack Cabo Labs

  |  Source: 
Cado Security

Cryptojacking Group WatchDog Attack Cabo Labs

Industry: N/A | Level: Tactical | Source: Cado Security

Researchers at Cado Labs report a cryptojacking attack observed from the company's honeypot. The attack is attributed to cryptojacking group, WatchDog a rival threat group to TeamTNT another known threat actor targeting cloud environments. The campaign was initiated by exploiting a publicly misconfigured Docker API over port 2375 as the default setting was left unsecured, enabling unauthenticated access to the Docker daemon. Once the foothold was established the attacker created a new Alpine Linux Docker container and established persistence with a cron job. The attacker executes a shell script to check the system's infection status listing processes, host configuration, downloads a second-stage payload, and checks user permissions as root permissions are needed for the campaign. The second-stage shell script manipulates the system's timestamp and disables services such as the Alibaba Cloud Agent. The XMRig miner payload is dropped on the compromised host with a system service created for persistence. A third stage payload conducts network scanning, identifying hosts to pivot to, and drops two final scripts to initiate the propagation of the attack further into the victim’s network.

Anvilogic Scenario:

  • WatchDog Cryptojacking Attack

Anvilogic Use Cases:

  • Publicly exposed Docker API
  • New Docker Container
  • File Download (Unix)
  • Crontab Job Scheduling (Unix)
  • Timestamp Manipulation
  • Rare shell script execution
  • Service Stop Commands
  • File Modified for Execution
  • Linux Enumeration Techniques

Get trending threats published weekly by the Anvilogic team.

Sign Up Now