Threat Research

WatchDog Continues to Target East Asian CSPs

Securonix

Researchers at Cado Labs report the re-emergence of WatchDog, a threat actor known for cryptojacking cloud resources. The new campaign targets East Asian Cloud Service Providers using a shell script and a Monero wallet, revealing defense evasion, competitive mining techniques, and misconfigured cloud instance access. #WatchDog #TeamTNT

Keypoints

  • WatchDog has re-emerged and is linked to a malicious shell script and a Monero wallet ID controlled by the actor, indicating attribution to WatchDog.
  • The payload begins by weakening the compromised system and removing monitoring tools, using the ulimit command and removing Linux syslog to cover tracks.
  • The script removes monitoring agents native to East Asian Cloud Service Providers, suggesting targeted defense evasion against those CSPs.
  • There is clear behavior around competing for resources by killing processes and removing artifacts from rival cryptojacking campaigns, including removing TeamTNT executables.
  • TeamTNT activity is discussed, with evidence suggesting WatchDog believes TeamTNT is active again after retirement in 2021.
  • The mining configuration shows XMRig in /tmp with multiple mining pool servers, illustrating the fraud’s monetary objective.

MITRE Techniques

  • [T1133] External Remote Services – Misconfigured cloud instances used as an initial access vector. “…misconfigured cloud instances as an initial access vector.”
  • [T1070.006] Timestomp – Timestamps manipulated with the touch command on system utilities. “Lines 671, 682 and 693 also demonstrate use of the touch command to perform timestomping on the replaced system utilities.”
  • [T1070] Indicator Removal on Host – Removing Linux syslog to cover tracks. “before removing the Linux syslog – in an attempt to cover their tracks.”
  • [T1562] Impair Defenses – Removal of monitoring agents native to East Asian Cloud Service Providers. “removal of monitoring agents native to East Asian Cloud Service Providers.”
  • [T1036] Masquerading – Replacing common system utilities (such as top and ps) with a rudimentary shell script. “the threat actor replaced common system utilities (such as top and ps…”
  • [T1496] Resource Hijacking – Mining configuration and use of a Monero miner to monetize the compromised resource. “The rest of the script is dedicated to retrieving and setting up the miner – a version of XMRig which is saved with the filename “zzh” and run from /tmp/.”
  • [T1070.004] File Deletion – Removing TeamTNT executables from /usr/bin. “Lines 497 and 501 are used to remove files from a folder named TeamTNT under /usr/bin.”

Indicators of Compromise

  • [Filename] context – init.sh, newinit.sh
  • [SHA-256 Hash] context – c68a82fc2e8f27ef017a69b951c92d4336c6b657e8666dbb58395bac195d00cb, 47d69b281d9cbaca0638f8ca304d40fa04991c870ea8b65388bd42eb266cf2c0
  • [Domain] context – xmr.f2pool.com, xmr.pool.gntl.co.uk
  • [IP] context – 139.99.102.72, 80.211.206.105

Read more: https://www.cadosecurity.com/watchdog-continues-to-target-east-asian-csps/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint