There is a new variant of the infamous malware, WatchBog that previously infects Linux servers through Jira, Exim, ThinkPHP, and Solr exploits, that now target Windows RDP servers with BlueKeep vulnerability.
While the BlueKeep vulnerability is present in the Windows Remote Desktop Services, enabling attackers to remotely run arbitrary code or denial of service attacks, and potentially take over the vulnerable systems by sending specially crafted code requests over RDP protocol.
WatchBog's BlueKeep scan infected systems probing all the IP addresses from list on the malware's command-and-control (C2) server, with the IPs running on RDP Windows services 3389 TCP port, which uses a 'Cookie: mstshash=' string as the login for the RDP mstshash field.
According to Intezer Lab, credited with the discovery of the new WatchBog variant, the attackers behind the WatchBog malware use their botnet network to prepare list of vulnerable systems to target in the future or sell to third party vendors for profit. And the malware has already compromised over 4,500 Linux machines in the last couple of months.
It deploys script on the targeted machine in order to download Monero miner modules, with the malicious script also able to gain persistence on the infected system to further download a new spreader module in the form of a dynamically linked Cython-compiled ELF executable.
Microsoft, however has released patches for vulnerable Windows versions following security researchers proof-of-concept exploits for the vulnerability, with several tools designed to make it easier to find vulnerable Windows machines.