A new Watchbog malware variant can scan for Windows computers vulnerable to BlueKeep exploits, with previous variants only being utilized to infect Linux servers compromised using Jira, Exim, Nexus Repository Manager 3, ThinkPHP, and Solr Linux exploits.

"Among the new Linux exploits, this version of WatchBog implements a BlueKeep RDP protocol vulnerability scanner module, which suggests that WatchBog is preparing a list of vulnerable systems to target in the future or to sell to third party vendors for profit," Intezer Labs says.

BlueKeep is a remote code execution vulnerability present in the Windows Remote Desktop Services and enabling remote unauthenticated attackers to run arbitrary code, conduct denial of service attacks, as well as potentially take control of vulnerable systems.

Microsoft patched the RCE flaw that impacts several versions, from Windows XP, Windows Vista, and Windows 7 to Windows Server 2003 and Windows Server 2008, including all versions with installed Service Packs, as part of the May Patch Tuesday.

zerosum0x0 scanner vs Watchbog scanner

Watchbog's BlueKeep scanning module

The BlueKeep scanner included in the WatchBog variant discovered by Intezer is a port of the scanner PoC developed by zerosum0x0 for the RDP remote code execution vulnerability tracked as CVE-2019-0708 per Intezer's research team, a conclusion based on similarly named functions.

After being launched on the infected machine, Watchbog's BlueKeep scanner will immediately start probing all the IP addresses from a list delivered by the malware's command-and-control (C2) server.

While probing the list of IPs for running RDP Windows services on the 3389 TCP port, Watchbog uses a 'Cookie: mstshash=' string as the username for the RDP mstshash field.

BlueKeep probing

After finishing the scanning process, the Watchbog bots will send the list of vulnerable hosts it found to the C2 server as a hexadecimal data string encrypted using RC4.

Besides the previously discovered Jira, Exim, Nexus Repository Manager 3, ThinkPHP, and Solr, Intezer Labs' Ignacio Sanmillan and Paul Litvak also found "two modules for bruteforcing CouchDB and Redis instances exist together along with code to achieve RCE."

Additionally, they were also able to unearth "an early test version of the spreader module uploaded to HybridAnalysis, including an exploit to Solr CVE-2019-0192, an exploit to ActiveMQ CVE-2016-3088, and a module utilizing a technique to gain code execution over cracked Redis instances."

Watchbog 'pwn' RCE modules

The Watchbog crew Q&A

After covering their attacks on Jira and Exim servers, BleepingComputer reached out to the outfit behind the Watchbog malware to get more info on the motivation behind their campaign.

As they told us in the email exchange, they are still saying that the impulse driving their "efforts" is "to make the internet a safer place," and they did confirm that a BlueKeep module is now part of their "project."

However, they didn't want to share if they also have a working exploit ready to abuse unpatched Windows machines or what it will be used for.

What we know for sure is that Watchbog wasn't used for any destructive purposes until now, cryptomining being the end goal for their attacks, with no plan to tamper with data stored on infected computers in any way or to ask for a ransom.

Another probable development would be that the Watchbog operators will collect info on all the Windows systems vulnerable to BlueKeep exploits "to target in the future or to sell to third party vendors for profit," as per Intezer Labs' analysis.

Q1) Can you share how many servers you have infected with this script? ANS 1: Well to be honest we don't actually have a specific no of how many server's have gotten infected through out this campaign, but we estimate 5000 - 20000 servers are infected. Q2) Do you actually provide a cleanup script and instructions on how to secure a server? ANS 2: Yes we do. We provide a cleanup script, provide full disclosure how we hacked into the server's, provide patch instructions and also advice on ways to prevent future attacks. Well we can't really provide so much details but we have helped secure some very high profile targets this year. Q3) Any other comment you would like to share? ANS 3: Well we want everybody to believe in our goal, we are not the badguys. Yes we mine but honestly speaking that's only to help fund the campaign, and that's one of the way we help notify affected servers that we are present in the server. We wish people can stop sabotaging this campaign. We only want to make the internet a safer place in the little way we can (breaking things to fix it). Q4) Have we added a BlueKeep scanner to our project? ANS 1) Yes we have. Q5) Do we have a working exploit? ANS2) That we can't share (it's a secret). Q6) What will it be used for? ANS3) That we can't share (it's a secret). Q7) Do we plan on implementing the BlueKeep Vuln? ANS4) That we can't share (it's a secret).

"The incorporation of the BlueKeep scanner by a Linux botnet may indicate WatchBog is beginning to explore financial opportunities on a different platform," concluded Intezer's researchers.

"Currently, no known public RCE BlueKeep PoCs exist and it will be interesting to monitor this group once a PoC is published."

BlueKeep mitigation measures

After Microsoft released patches for all vulnerable Windows versions, multiple security researchers and vendors have created and demoed proof-of-concept exploits for this vulnerability.

Some researchers have also developed scripts and tools designed to make the task of finding vulnerable Windows machines for patching a lot easier.

There are also scanning tools that can be used to quickly identify BlueKeep vulnerable machines without any of the bad side effects, as well as detection rules such as the BlueKeep signature created by the NCC Group for Suricata IDS/IPS.

To prevent Watchbog infections and block attacks, Intezer recommends the following measures:

We suggest Windows users refer to Microsoft’s customer guidance in order to mitigate the BlueKeep vulnerability.

We suggest Linux users, who use Exim, Jira, Solr, Jenkins or Nexus Repository Manager 3, to update to the latest versions.

We suggest Linux users, who use Redis or CouchDB, to ensure that there are no open ports that are exposed outside of trusted networks.

We recommend Linux users who suspect that they are infected with WatchBog to check for the existence of the “/tmp/.tmplassstgggzzzqpppppp12233333” file or the “/tmp/.gooobb” file.

We have also created a custom YARA rule based on WatchBog’s malicious code for detecting this threat.

The Cybersecurity and Infrastructure Security Agency (CISA) published a list of BlueKeep mitigation measures in June, at the same time announcing that it has achieved RCE on an unpatched Windows 2000 computer.

That was the fourth warning for users of vulnerable Windows to patch or upgrade their systems after two others issued by Microsoft [1, 2] and one from the U.S. National Security Agency.

Windows admins and users are also advised by CISA to review both Microsoft BlueKeep Security Advisory and the Microsoft Customer Guidance for CVE-2019-0708.