SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.watchbog (Back to overview)

WatchBog


According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3.

References
2019-07-24IntezerPaul Litvak, Ignacio Sanmillan
@online{litvak:20190724:watching:abc3541, author = {Paul Litvak and Ignacio Sanmillan}, title = {{Watching the WatchBog: New BlueKeep Scanner and Linux Exploits}}, date = {2019-07-24}, organization = {Intezer}, url = {https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/}, language = {English}, urldate = {2020-05-18} } Watching the WatchBog: New BlueKeep Scanner and Linux Exploits
WatchBog

There is no Yara-Signature yet.