WatchDog Botnet Mines Cryptocurrency on Compromised Servers
As cybersecurity experts have previously noted, the rapid rise in cryptocurrency value has led to an increase in mining botnets. Some operators of DDoS botnets have even shifted their focus to mining. In this context, the activity of the WatchDog botnet is not surprising.
According to analysts at Palo Alto Networks, this malware, active since 2019 and written in Go, infects systems running both Windows and Linux. Typically, hackers gain access through outdated versions of various enterprise applications. Experts estimate that the botnet currently consists of between 500 and 1,000 infected systems.
Exploited Vulnerabilities
The botnet operators use 33 exploits to target 32 known vulnerabilities in products such as:
- Drupal
- Elasticsearch
- Apache Hadoop
- Redis
- Spring Data Commons
- SQL Server
- ThinkPHP
- Oracle WebLogic
Since the attackers mine cryptocurrency on compromised devices, their profits are currently estimated at 209 Monero, which is about $32,000 at the current exchange rate. Researchers note that the actual figures are likely much higher, as they were only able to analyze a few binaries, and the hackers probably use many more Monero addresses than analysts are aware of.
Additional Risks
Even worse, WatchDog typically runs with administrator privileges on infected servers. If the malware operators choose, it can easily scan for and steal credentials.