Cryptojacking Group WatchDog Attack Cabo Labs

Researchers at Cado Labs report a cryptojacking attack observed from the company's honeypot. The attack is attributed to cryptojacking group, WatchDog a rival threat group to TeamTNT another known threat actor targeting cloud environments. The campaign was initiated by exploiting a publicly misconfigured Docker API over port 2375 as the default setting was left unsecured, enabling unauthenticated access to the Docker daemon. Once the foothold was established the attacker created a new Alpine Linux Docker container and established persistence with a cron job. The attacker executes a shell script to check the system's infection status listing processes, host configuration, downloads a second-stage payload, and checks user permissions as root permissions are needed for the campaign. The second-stage shell script manipulates the system's timestamp and disables services such as the Alibaba Cloud Agent. The XMRig miner payload is dropped on the compromised host with a system service created for persistence. A third stage payload conducts network scanning, identifying hosts to pivot to, and drops two final scripts to initiate the propagation of the attack further into the victim’s network.