A massive cryptojacking campaign attacking Windows users went undetected for over two years, making tens of thousands of dollars in the process. The cryptojacking malware, known as WatchDog, is believed to have hundreds of victims and is still ongoing.
The research team who uncovered the cryptojacking campaign believes it is the work of a highly-skilled outfit that may have other lucrative operations underway.
WatchDog Cryptojacking Malware Claims Hundreds of Victims
The Palo Alto Networks research team, known as Unit 42, believe WatchDog has compromised “at least 476” systems comprising mainly Windows and NIX cloud instances and that the campaign has been up and running since January 27, 2019.
In that two-year period, the cryptojacking campaign has illicitly mined “at least 209 Monero (XMR),” with a current value of around $32,000.
The malware uses a three-part binary set built using the Go programming language. Each binary performs a specific action on the victim’s machine, such as ensuring the mining operating isn’t shut down or initiating the mining program to begin with. Furthermore, the campaign uses multiple endpoints and domains to remain hidden while strengthing the malware’s chances of remaining online if and when discovered.
It is clear that the WatchDog operators are skilled coders and have enjoyed a relative lack of attention regarding their mining operations. While there is currently no indication of additional cloud compromising activity at present (i.e. the capturing of cloud platform identity and access management (IAM) credentials, access ID or keys), there could be potential for further cloud account compromise.
Palo Alto Networks, then, believe the threat actors could transition to further cloud account compromising activities if they have not already.
Crypto Mining Malware Is Profitable for Criminals
When the WatchDog malware was launched in January 2019, the Monero price was languishing around $50 per coin. The cryptojacking campaign profit would only stand at roughly $10,000 had the price remained at that point. We recently reported on how profitable malware can be for criminal organizations, with similar findings regarding cryptojacking campaigns.
Cryptojacking malware often uses privacy-focused Monero as it is truly untraceable (unlike Bitcoin, which is pseudo-anonymous). While cryptojacking is a gamble from the price point perspective, any gains are almost pure profit, as the malware uses the victim’s hardware to mine Monero.
Still, cryptojacking is far from the most profitable form of malware. Ransomware remains one of the most effective methods of extorting cash from victims and doesn’t show any sign of slowing down despite enormous law enforcement efforts to disrupt and destroy the criminal networks.