Cloud Incident Response Blog | Cado Security

WatchDog Continues to Target East Asian CSPs

Written by jbowen@cadosecurity.com | Nov 16, 2022 2:00:00 PM

Introduction

Researchers at Cado Labs have recently discovered the re-emergence of the threat actor WatchDog. As regular readers will know, WatchDog are an opportunistic and prominent threat actor, who are known for routinely carrying out cryptojacking attacks against resources hosted by various Cloud Service Providers.

We previously reported on WatchDog’s activities after they targeted one of our honeypots back in June 2022. We’ve attributed this new campaign to them based on the presence of a malicious shell script and a Monero wallet ID known to be under their control. Techniques known to be used by this group are also evident.

System Weakening

As is common with this type of attack, the script begins with a number of commands designed to weaken the compromised system and remove monitoring tools. We can see the threat actor making use of the ulimit command to configure resource limits for the current user, before removing the Linux syslog - in an attempt to cover their tracks.


Various system weakening commands

This section of the script also includes commands to remove various files/directories from /tmp/ which appear to be related to cryptomining (lines 13 - 15). This is likely an attempt to remove artifacts from prior cryptojacking attacks. 

Moving further down the script, we can see the threat actor has included code to remove monitoring agents native to East Asian Cloud Service Providers. This suggests targeting of these CSPs, as we’ve seen in related campaigns.


Removal of monitoring agents found in East Asian CSPs

Competing for Resources

Perhaps some of the most interesting information to be gained from analysing these types of payloads is the insight into techniques used by competing threat groups. Usually cryptomining shell scripts have a section dedicated to killing processes and removing artifacts from competing cryptojacking attacks - this one is no different. 

In this particular payload, a number of lines within this section caught our attention.


Competitor removal code of interest

Lines 497 and 501 are used to remove files from a folder named TeamTNT under /usr/bin. It would seem likely that this folder contained executables implanted during an attack by this prominent cloud threat actor.

This is particularly interesting as there’s been some recent discussion around whether TeamTNT are active again, after the public announcement of their retirement in 2021. Based on this recent shell script, it seems as if WatchDog are under the impression that TeamTNT are indeed back.


TeamTNT Twitter - Bio and pinned Tweet suggests retirement

Line 496 in the screenshot above is also of interest. In our analysis of CoinStomp, a similar cryptojacking campaign from early 2022, we noted an attempt to remove files from the path /usr/share/crypto-policies. On RHEL and RHEL-like Linux systems, this directory contains cryptographic policies which can be used for hardening, by allowing or disallowing certain cryptographic protocols based on risk posture. 
However, we’ve also seen reports of similar cryptojacking campaigns storing their executables under /usr/bin/[crypto]. In this instance, it seems likely that WatchDog are trying to remove such executables from a prior compromise.

Defense Evasion and Anti-Forensics

In our last report on WatchDog’s activities, we noted a distinctive technique where the threat actor replaced common system utilities (such as top and ps), with a rather rudimentary shell script - used to filter any attacker-owned processes from the output of said utilities. The same technique appears in this newer payload.


Turning common utilities into custom process hiders

Lines 671, 682 and 693 also demonstrate use of the touch command to perform timestomping on the replaced system utilities. We believe this is an anti-forensics measure, designed to confuse an analyst during the incident response process. We saw this technique in our analysis of CoinStomp, and it’s surprising that we don’t see it more often with cloud threat actors - given that it’s a clever example of “living off the land”.

Mining Configuration

The rest of the script is dedicated to retrieving and setting up the miner - a version of XMRig which is saved with the filename “zzh” and run from /tmp/. The following mining servers are used:

xmr[.]f2pool[.]com:13531 A public, multi-coin mining pool with support for Monero
139[.]99[.]102[.]72:14433 IP used by mining pools operated by nanopool.org 
xmr[.]pool[.]gntl.co.uk:10009 Public mining pool operated by the GNTL project
80[.]211[.]206[.]105:9000 IP used by mining pools operated by bohemianpool.com

Conclusion

Clearly, WatchDog remain active and pose a significant threat to users of Cloud Service Providers such as Tencent and Alibaba Cloud. Several techniques typical of this threat actor were seen in the analysed shell script and the reuse of a particular Monero wallet made attribution relatively easy. 

The presence of code used to remove TeamTNT executables was an interesting observation. We’ve seen evidence to suggest that cloud-focused cryptojacking groups keep their knowledge of the threat landscape current, so perhaps this indicates that WatchDog have encountered evidence of TeamTNT activities during their campaigns. 

We mentioned earlier that WatchDog and similar groups are opportunistic, and it’s likely that this malware made use of misconfigured cloud instances as an initial access vector. Once again, this highlights the ease of which certain cloud threat actors can compromise cloud resources and how little effort is required for them to make this endeavour profitable.


Screenshot of Cado processing a machine infected with this sample

Indicators of Compromise

Filename SHA-256 Hash
init.sh c68a82fc2e8f27ef017a69b951c92d4336c6b657e8666dbb58395bac195d00cb
newinit.sh 47d69b281d9cbaca0638f8ca304d40fa04991c870ea8b65388bd42eb266cf2c0