SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.watchbog (Back to overview)

WatchBog


According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3.

References
2019-07-24IntezerIgnacio Sanmillan, Paul Litvak
Watching the WatchBog: New BlueKeep Scanner and Linux Exploits
WatchBog

There is no Yara-Signature yet.