Cryptojacking Group WatchDog Attack Cabo Labs

Industry: N/A | Level: Tactical | Source: Cado Security

Researchers at Cado Labs report a cryptojacking attack observed from the company's honeypot. The attack is attributed to cryptojacking group, WatchDog a rival threat group to TeamTNT another known threat actor targeting cloud environments. The campaign was initiated by exploiting a publicly misconfigured Docker API over port 2375 as the default setting was left unsecured, enabling unauthenticated access to the Docker daemon. Once the foothold was established the attacker created a new Alpine Linux Docker container and established persistence with a cron job. The attacker executes a shell script to check the system's infection status listing processes, host configuration, downloads a second-stage payload, and checks user permissions as root permissions are needed for the campaign. The second-stage shell script manipulates the system's timestamp and disables services such as the Alibaba Cloud Agent. The XMRig miner payload is dropped on the compromised host with a system service created for persistence. A third stage payload conducts network scanning, identifying hosts to pivot to, and drops two final scripts to initiate the propagation of the attack further into the victim’s network.

Anvilogic Scenario:

• WatchDog Cryptojacking Attack

Anvilogic Use Cases:

• Publicly exposed Docker API
• New Docker Container
• File Download (Unix)
• Crontab Job Scheduling (Unix)
• Timestamp Manipulation
• Rare shell script execution
• Service Stop Commands
• File Modified for Execution
• Linux Enumeration Techniques