Researchers at Cado Labs have recently discovered the re-emergence of the threat actor WatchDog. As regular readers will know, WatchDog are an opportunistic and prominent threat actor, who are known for routinely carrying out cryptojacking attacks against resources hosted by various Cloud Service Providers.
We previously reported on WatchDog’s activities after they targeted one of our honeypots back in June 2022. We’ve attributed this new campaign to them based on the presence of a malicious shell script and a Monero wallet ID known to be under their control. Techniques known to be used by this group are also evident.
As is common with this type of attack, the script begins with a number of commands designed to weaken the compromised system and remove monitoring tools. We can see the threat actor making use of the ulimit command to configure resource limits for the current user, before removing the Linux syslog - in an attempt to cover their tracks.
This section of the script also includes commands to remove various files/directories from /tmp/ which appear to be related to cryptomining (lines 13 - 15). This is likely an attempt to remove artifacts from prior cryptojacking attacks.
Moving further down the script, we can see the threat actor has included code to remove monitoring agents native to East Asian Cloud Service Providers. This suggests targeting of these CSPs, as we’ve seen in related campaigns.
Perhaps some of the most interesting information to be gained from analysing these types of payloads is the insight into techniques used by competing threat groups. Usually cryptomining shell scripts have a section dedicated to killing processes and removing artifacts from competing cryptojacking attacks - this one is no different.
In this particular payload, a number of lines within this section caught our attention.
Lines 497 and 501 are used to remove files from a folder named TeamTNT under /usr/bin. It would seem likely that this folder contained executables implanted during an attack by this prominent cloud threat actor.
This is particularly interesting as there’s been some recent discussion around whether TeamTNT are active again, after the public announcement of their retirement in 2021. Based on this recent shell script, it seems as if WatchDog are under the impression that TeamTNT are indeed back.
Line 496 in the screenshot above is also of interest. In our analysis of CoinStomp, a similar cryptojacking campaign from early 2022, we noted an attempt to remove files from the path /usr/share/crypto-policies. On RHEL and RHEL-like Linux systems, this directory contains cryptographic policies which can be used for hardening, by allowing or disallowing certain cryptographic protocols based on risk posture.
However, we’ve also seen reports of similar cryptojacking campaigns storing their executables under /usr/bin/[crypto]. In this instance, it seems likely that WatchDog are trying to remove such executables from a prior compromise.
In our last report on WatchDog’s activities, we noted a distinctive technique where the threat actor replaced common system utilities (such as top and ps), with a rather rudimentary shell script - used to filter any attacker-owned processes from the output of said utilities. The same technique appears in this newer payload.
Lines 671, 682 and 693 also demonstrate use of the touch command to perform timestomping on the replaced system utilities. We believe this is an anti-forensics measure, designed to confuse an analyst during the incident response process. We saw this technique in our analysis of CoinStomp, and it’s surprising that we don’t see it more often with cloud threat actors - given that it’s a clever example of “living off the land”.
The rest of the script is dedicated to retrieving and setting up the miner - a version of XMRig which is saved with the filename “zzh” and run from /tmp/. The following mining servers are used:
xmr[.]f2pool[.]com:13531 | A public, multi-coin mining pool with support for Monero |
139[.]99[.]102[.]72:14433 | IP used by mining pools operated by nanopool.org |
xmr[.]pool[.]gntl.co.uk:10009 | Public mining pool operated by the GNTL project |
80[.]211[.]206[.]105:9000 | IP used by mining pools operated by bohemianpool.com |
Clearly, WatchDog remain active and pose a significant threat to users of Cloud Service Providers such as Tencent and Alibaba Cloud. Several techniques typical of this threat actor were seen in the analysed shell script and the reuse of a particular Monero wallet made attribution relatively easy.
The presence of code used to remove TeamTNT executables was an interesting observation. We’ve seen evidence to suggest that cloud-focused cryptojacking groups keep their knowledge of the threat landscape current, so perhaps this indicates that WatchDog have encountered evidence of TeamTNT activities during their campaigns.
We mentioned earlier that WatchDog and similar groups are opportunistic, and it’s likely that this malware made use of misconfigured cloud instances as an initial access vector. Once again, this highlights the ease of which certain cloud threat actors can compromise cloud resources and how little effort is required for them to make this endeavour profitable.
Filename | SHA-256 Hash |
init.sh | c68a82fc2e8f27ef017a69b951c92d4336c6b657e8666dbb58395bac195d00cb |
newinit.sh | 47d69b281d9cbaca0638f8ca304d40fa04991c870ea8b65388bd42eb266cf2c0 |