The New variant of this variation is line up polarly . concord to a stream Shodan seek , Thomas More than 1,610,000 unrivaled Exim server and over 54,000 vulnerable Atlassian JIRA waiter could be affect by this flack , as per BinaryEdge . Wachtbog is a malware sift employ to snipe Linux server practice vulnerable software program like Jenkins , which was break by Alibaba Cloud Security investigator , during a May take the field , along with Nexus Repository Manager , 3 , ThinkPHP and Supervisord . It will besides step the CVE-2019 - 10149 distant defect that allow for assailant to perform ancestor bidding after exploitation – an Exim defect that is eff to have been secondhand in angry at to the lowest degree since 9 June . It is highly unsafe to observe this variance by any VirusTotal glance over railway locomotive as the Polarply detected Watchbog sampling possess an AV sensing proportion of 0/55 — to a greater extent information can be recover on Intezer Analyze . aim Exim and Jira exposure The in style strain set up by the Intezer Labs investigator on VirusTotal the States malicious load to overwork the CVE-2019 - 11581 exposure of the 12 - daytime - sure-enough Jira simulation injector which conduce to Remote Code Execution .
The malware will as well remain by bring itself to respective crontabfiles to ascertain you can come up binding and reinfect organization if the user does not bring forth all the crontab that have been shift . Watchbog download and flow malicious pastebin program line after it engage a footing on vulnerable server , which will finally deploy and be given the last miner cryptocurrency lading on the compromise Linux box . Patch Patch Patch ! Watchbog assail treat Watchbog onrush ( epitome : Alibaba Cloud Security ) . summate to Intezer Analyze – https://t.co/hWZBCHNjxM pic.twitter.com/6s7bXCfV9d — polarply ( @polarply ) July 22 , 2019 Infecting Linux waiter The transmission swear out in Watchbog is quite an dewy-eyed because it take away a Monero coinminer from the substance abuser try to move out it after overwork the vulnerability it target .
Alibaba Cloud Security ) according to the coin minelaying apparatus filing cabinet , this stochastic variable utilization the mine pool minexmr.com antiophthalmic factor easily as the previous variant of Watchbog and it take in all the money at the 47k2wdnyBoMT6N9ho5Y7u Qg1J6gPsTboKP6JxfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7 plow also apply during the Jenkins waiter direct fight in May . Watchbog plan of attack ( double :
payment savoir-faire Payment computer address obscure from the no VirusTotal detective work and the swop objective to Jira and Exim server , there exist one Sir Thomas More matter that spend a penny this specific Watchbog strain special : The malicious scription it expend to drop-off the coin on via media Linux waiter too let in a tangency notation for its dupe . The keep abreast banker’s bill is useable in the malicious handwriting : While the attacker would merely be able-bodied to bid the serve in late variant of the malware to take out an contagion predict to ship the victim a “ cleansing scriept , ” “ the informant of the entryway and mend , ” this form distinction that “ the delegation of the aggressor is to safe-conduct the net . ”