Hackers attack Jira and Exim servers to install Watchbog Linux Trojan

Cybercriminals attack vulnerable Jira and Exim servers in order to infect them with the new version of Linux-Trojan Watchbog and Monero cryptocurrency mining.

Watchbog is a malicious software for infecting Linux-based servers by operating vulnerable software, such as Jenkins, Nexus Repository Manager 3, ThinkPHP or Linux Supervisord.

According to a researcher from Intezer Labs, the latest version of the malware exploits the newly discovered template injection vulnerability (template injection) in Jira (CVE-2019-11581), which allows executing remote code.

Tweet of researcher Intezer Labs
Tweet of researcher Intezer Labs

The malware also exploits a RCE vulnerability in Exim (CVE-2019-10149), which allows attackers to execute commands with root permissions.

According to the Shodan search, there are currently more than 1,610,000 vulnerable Exim servers on the network, as well as over 54,000 vulnerable Atlassian JIRA servers.

“The fact that the Jira CVE-2019-11581 template injection vulnerability these attackers are targeting has been publicly disclosed just 12 days ago stands as proof to the speed at which threat actors are starting to abuse new security flaws”, — conclude Bleepingcomputer journalists.

Having exploited the vulnerabilities, Watchbog uploads a crypto-miner to extract Monero currency and takes steps to maintain its presence on the system. In particular, it adds itself to several crontab files to reinfect the system if the user deletes one of these files.

Extracted currency is sent to:


During the campaign, attackers managed to get 53 XMR (approximately $4503).

One of the distinguishing features of this campaign is that the malware leaves a message to its victims, according to which the motive of the intruders is “Internet security”.

READ  How Can I Remove Msvcp.exe?
Watchbog fighting to keep the Internet safe
Watchbog fighting to keep the Internet safe

What makes it highly dangerous is that this variant is not detected by any of the scanning engines on VirusTotal.

But, according to the Watchbog operators, the malware is intended only for mining cryptocurrency, and they have no intention to modify the data stored on the servers or demand a ransom.

[Total: 0    Average: 0/5]

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

How to remove SLoad (StarsLord) virus virus?

SLoad (StarsLord) virus is a generic detection used by Microsoft Security Essentials, Windows Defender and …

Remove Wudfhosts.exe Miner: Easy Steps To Uninstall

A new, very harmful cryptocurrency miner virus has actually been detected by safety and security …

Leave a Reply