{
	"id": "96f3b0e6-9bf2-4e60-8816-d7186ed397a9",
	"created_at": "2026-04-06T02:10:44.970458Z",
	"updated_at": "2026-04-10T03:32:45.872881Z",
	"deleted_at": null,
	"sha1_hash": "97f8b6eebbb7aad3bff6f1346f019467999b6f6a",
	"title": "Watchbog and the Importance of Patching",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2117184,
	"plain_text": "Watchbog and the Importance of Patching\r\nBy William Largent\r\nPublished: 2019-09-11 · Archived: 2026-04-06 01:38:26 UTC\r\nWhat Happened?\r\nCisco Incident Response (CSIRS) recently responded to an incident involving the\r\nWatchbog cryptomining botnet. The attackers were able to exploit CVE-2018-1000861 to\r\ngain a foothold and install the Watchbog malware on the affected systems.\r\nThis Linux-based malware relied heavily on Pastebin for command and control (C2) and operated openly. CSIRS gained an\r\naccurate understanding of the attacker's intentions and abilities on a customer's network by analyzing the various Pastebins.\r\nAs the investigation progressed, CSIRS identified and de-obfuscated multiple pastes using artifacts left on compromised\r\nhosts.\r\nThere were some attempts at obfuscation, such as base64 encoding URLs and Pastebins, but the attack was still relatively\r\nsimple to uncover - this attacker did not practice particularly strong operational security.\r\nThe attackers behind Watchbog claimed to be providing a service by identifying security vulnerabilities and aiding the\r\norganization by exploiting said weaknesses before any \"real\" hackers could do so. During the investigation, Cisco IR found\r\nsigns of hosts becoming a part of a separate botnet around the time of the Watchbog activity. This raises serious doubts about\r\nthe \"positive\" intentions of this adversary. Below is a message left on a compromised system by the adversary:\r\nWhat does Watchbog do?  \r\nThe Watchbog botnet mines Monero cryptocurrency for its owners. While researching our\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 1 of 15\n\nvariant we came across a post by Alibaba Cloud Security that provides some insights into\r\nWatchbog. This post coincided with our findings as we found an installation script that\r\nperforms the following activities.\r\nFirst the installation script checks for running processes matching other cryptocurrency miners. If the system was previously\r\nconfigured to mine cryptocurrency, the installation script would terminate their execution using the kill command:\r\nThe script then uses the touch command to determine its capability to write to various directories on the filesystem.\r\nIt also checks the architecture of the system to determine if it is executing on a 32-bit or 64-bit operating system and then\r\nmakes three attempts to download and install a 'kerberods' dropper using wget or curl.\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 2 of 15\n\nDepending on permissions, the kerberods dropper is saved to one of the following directories:\r\nThe current working directory\r\n/usr/bin\r\n/usr/libexec\r\n/usr/local/bin\r\n/tmp\r\n/usr/sbin\r\nThe script also retrieves the contents of a Pastebin URL containing a Monero wallet ID and mining information. CSIRS\r\nverified this as the same wallet ID as the one used by the attacker referenced in the Alibaba cloud post referenced earlier.\r\nThough the Pastebin URL in the previous screenshot is no longer accessible, the next step in the infection process is to\r\ndownload the cryptocurrency miner. We identified a script that 'kerberods' likely runs to reach out to GitHub to install the\r\nXMR-Stak Monero miner.\r\nThe main part of the script checks to see if a process called 'watchbog' is running.\r\nIf the 'watchbog' process is not detected, the 'testa' or 'download' functions are called to install the version of the miner that's\r\ncompatible with the host operating system and architecture and execute it to begin the mining process.\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 3 of 15\n\n'Testa' function\r\nAs previously mentioned, the 'testa' function may be called to facilitate the infection process. Below is the\r\ncode associated with this function. This code is responsible for writing the various configuration data used\r\nby the mining software. The function declares three variables and assigns base64 encoded data to each of\r\nthem.\r\nThe base64 encoded data is then decoded and written to various files.\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 4 of 15\n\nThe base64 encoded values correspond to the following:\r\nSt_64: This variable contains the URL of the Github repository that hosts the XMR-Stak mining client.\r\nhXXps://github[.]com/fireice-uk/xmr-stak/releases/download/2.10.3/xmr-stak-linux-2.10.3-cpu.tar.xz\r\ncon_url: This variable contains the Pastebin URL that is used to host the configuration file for the mining client.\r\nhXXps://pastebin[.]com/raw/YJH8sWr\r\nCpu_url: This variable contains an additional Pastebin URL. During our investigation the Pastebin URL was no\r\nlonger accessible, but likely contains an additional configuration file to be used by the mining client.\r\nhXXps://pastebin[.]com/raw/irzk5mSh\r\npoo_url:This variable contains an additional Pastebin URL. During our investigation the Pastebin URL was no longer\r\naccessible, but likely contains an additional configuration file to be used by the mining client.\r\nhXXps://pastebin[.]com/raw/aJkbTx6Y\r\nThe script then starts the Watchbog process and deletes the text file after downloading the encoded Pastebins as a text file\r\nand giving it execution permissions. The following screenshot shows the configuration file that is referenced by the con_url\r\nvariable in the 'testa' function.\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 5 of 15\n\n'download' function\r\nThe following code is associated with the 'download' function referenced by the installation script\r\npreviously described. Similar to what was described in the 'testa' function, it contains three declared\r\nvariables with base64 encoded assignments.\r\nThese base64 encoded strings correspond to the following:\r\nmi_64: This variable contains the Github URL that hosts the XMrig monero mining client.\r\nhXXps://github[.]com/xmrig/xmrig/releases/download/v2.14.1/xmrig-2.14.1-xenial-x64.tar.gz\r\nmi_32: This variable contains a Pixeldrain URL. During our investigation the URL was no longer accessible.\r\nhXXps://pixeldrain[.]com/api/file/ZuVWceWG\r\nder_ke: This variable contains a Pastebin URL. The URL was used to host a file containing the attacker(s) Monero\r\nWallet ID for the miner to use. This Wallet ID is used to facilitate payment to the attacker. All Monero successfully\r\nmined by clients under the attacker's control will transfer the Monero to the Wallet ID specified in this file. The same\r\nwallet is included in the Alibaba Cloud post mentioned earlier.\r\nhXXps://pastebin[.]com/raw/hURdMBLd\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 6 of 15\n\nThe download function then writes the contents retrieved from the specified URLs to various file locations. It then\r\ndetermines the architecture of the system and installs the appropriate mining client and executes it to initiate the mining\r\nprocess.\r\nThe following screenshot contains the contents of the Monero wallet configuration associated with the der_ke variable in the\r\n'download' function described earlier. It specifies the configuration parameters that will be used by the mining client,\r\nincluding the Wallet ID, mining pool URL, and other parameters that can be used to control CPU usage, logging, etc.\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 7 of 15\n\nLateral movement via SSH\r\nCSIRS identified that the adversary was using SSH to spread laterally. Although local logs\r\nwere unavailable, we were able to use network logs to gain an understanding of how the\r\nmalware was spreading. As we viewed the logs, it was easy to determine Watchbog's\r\nlateral movement mechanism because they were generating a large amount of SSH traffic.\r\nThis could have been easily detected using internal traffic flow monitoring, such as with\r\nStealthWatch Cloud or other netflow-monitoring capability.\r\nThe following Bash script was used to facilitate the lateral movement process. It retrieves the contents of the known_hosts\r\nfile on the infected system and then attempts to SSH into those systems. It also checks for the existence of SSH keys and\r\nleverages them to authenticate to the systems in the known_hosts file. If successful, it will retrieve the contents of the\r\nPastebin URL previously described and initiate the infection process.\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 8 of 15\n\nLateral movement via Jenkins and Redis servers\r\nIn addition to leveraging SSH for lateral movement, the Watchbog adversary also\r\nattempted to leverage a Python script that scans for open Jenkins and Redis ports on the\r\nhost's subnet. If the script finds any vulnerable servers, it attempts to use the curl or wget\r\ncommands to retrieve a payload from Pastebin and execute it on the target.\r\nBased on the following string on line 71, the script targets CVE-2018-1000861, a vulnerability in the Staple web framework\r\nfor versions up to Jenkins 2.138.1 or 2.145 which handles HTTP requests. It can provide attackers with RCE through\r\nparticularly crafted URLs. A post by Orange Tsai shows how to exploit this vulnerability by using cross reference objects to\r\nbypass ACL policy.\r\nThough the pastes accessed in the script were no longer available, we believe the payload was the installation script for the\r\nXMR-Stak miner previously described. The following Python script is also downloaded and executed from the XMR-Stak\r\nminer script described above in a function called 'party.'\r\nAs can be seen above, the payload variable contains a base64 encoded blob which is then decoded and written to the /tmp\r\ndirectory and executes it. This base64 encoded blob contains a Pastebin URL (hXXps://pastebin[.]com/raw/DzgYb9mu)\r\nwhich was used to host the following Python script. The Python script is used to facilitate the exploitation of the\r\naforementioned vulnerability and initiate the infection process. The following screenshots are associated with this Python\r\nscript.\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 9 of 15\n\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 10 of 15\n\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 11 of 15\n\nPersistence\r\nWatchbog's main persistence mechanism appears to have been using cron jobs. Below is\r\nthe 'system' function from the 'kerberods' installation script which ensures the dropper\r\nwill call out to Pastebins every hour for new information. The below screenshot shows the\r\nway that Watchbog configures the cron jobs responsible for achieving persistence on\r\ninfected systems.\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 12 of 15\n\nIn a post by Renato Marinho from Morphus Labs, he mentions a very interesting way 'kerberods' achieves persistence as\r\nwell. If it has root privileges, it will download and load a library into the operating system which hooks parts of Glibc to\r\nmodify Glibc's behavior. The post also specifies that the hooks allow the miner to run as anyone (including root) and also\r\nobfuscates the network connection to the mining pool as well as the Redis/Jenkins server scans.\r\nCovering their tracks\r\nEvidence deletion has been identified in previous Watchbog variants. The Watchbog\r\nvariant in our incident continued this trend. Evidence deletion was performed in a clear\r\nmanner with files and logs being deleted or overwritten. The evidence deletion was\r\ntypically added to the end of a handful of the Pastebin scripts, with the Xmr-stak\r\ndownload and the SSH Lateral Movement scripts being prime examples. The loss of those\r\nkey pieces of evidence made analysis difficult, but not impossible. We were able to rely\r\nupon our clients centralized logging to fill in those holes, and the hosts themselves still had\r\nevidence. The most obvious being the malware variants themselves.\r\nConclusion  \r\nUnpatched web applications vulnerable to known CVEs are a major target for attackers.\r\nAdversaries can leverage the vulnerability to gain a foothold into the web server and\r\nnetwork environment in which the web server is deployed. Once that foothold has been\r\nestablished, the attacker can then connect to their C2, achieve persistent long-term access\r\nto the environment and spread laterally — which is exactly what happened in this case.\r\nThe best way to prevent such activity would be to ensure that all enterprise web\r\napplications are up to date. Patching can cause some operational gaps and delays, so it’s\r\nalso important to have a maintenance window and a test environment to ensure that the\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 13 of 15\n\nnew patches do not cause any issues. Identifying cryptomining activity can be done\r\neffectively by following security fundamentals. Establish a baseline for internal network\r\ntraffic and if any significant deviations occur, identify and investigate them. Even if there\r\nis an existing theory for the activity. In this case, Watchbog generated a noticeable spike in\r\nthe organization’s SSH traffic.\r\nCoverage Intrusion prevention systems such as SNORT® provide an effective tool to\r\ndetect China Chopper activity due to specific signatures present at the end of each\r\ncommand. In addition to intrusion prevention systems, it is advisable to employ endpoint\r\ndetection and response tools (EDR) such as Cisco AMP for Endpoints, which gives users\r\nthe ability to track process invocation and inspect processes. Try AMP for free here.\r\nAdditional ways our customers can detect and block these threats are listed below.\r\nCisco Cloud Web Security (CWS) orWeb Security Appliance (WSA) web scanning prevents access to malicious websites\r\nand detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System\r\n(NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether\r\nusers are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs have been observed associated with Watchbog.\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 14 of 15\n\nHashes (SHA256):\r\nb383d0fdfa5036ccfa5d9c2b43cbfd814bce8778978873057b86678e5295fc61\r\n0b0567c9b45ea0a3ea4267001f0760ccdf2b8224fceaf8979d32fcceb2d6fb7a\r\n3A6271A90D0F6CC8A2D31D45D931E8401F13F7377932BA07D871DC42F252B9CA\r\nDomains:\r\naziplcr72qjhzvin[.]onion[.]to\r\nMisc:\r\nMonero Wallet (Same wallet as the Alibaba Cloud Post)\r\n47k2wdnyyBoMT6N9ho5Y7uQg1J6gPsTboKP6JXfB5msf3jUUvTfEceK5U7KLnWir5VZPKgUVxpkXnJLmijau3VZ8D2zsyL7\r\nSource: https://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nhttps://blog.talosintelligence.com/2019/09/watchbog-patching.html\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/09/watchbog-patching.html"
	],
	"report_names": [
		"watchbog-patching.html"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441444,
	"ts_updated_at": 1775791965,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/97f8b6eebbb7aad3bff6f1346f019467999b6f6a.pdf",
		"text": "https://archive.orkl.eu/97f8b6eebbb7aad3bff6f1346f019467999b6f6a.txt",
		"img": "https://archive.orkl.eu/97f8b6eebbb7aad3bff6f1346f019467999b6f6a.jpg"
	}
}