Home News WatchDog Cryptojacking Campaign Running for Over Two Years

WatchDog Cryptojacking Campaign Running for Over Two Years

Palo Alto researchers recently uncovered “WatchDog” malware that is said to be the largest Monero cryptojacking operation.


Cyberattacks on cryptocurrency exchanges and crypto wallets have become rampant as cybercriminals often target cryptocurrencies, whose net-worth is increasing day by day. Numerous hacks and heists have been reported in the cryptocurrency sector, where threat actors target crypto exchanges to deploy crypto-mining botnets on unsecured systems to siphon the crypto assets.

Security researchers from Palo Alto have recently uncovered a cryptocurrency-mining malware dubbed WatchDog targeting Monero cryptocurrency for more than two years.

WatchDog is one of the largest and longest-lasting Monero cryptojacking operations known to exist. It was found that the WatchDog mining operation is active since January 27, 2019, and its threat actors harvested over 209 Monero (XMR), valued to be around $32,056. They compromised and exploited around 476 Windows and Linux systems for mining Monero cryptocurrency.

The WatchDog Infection

Researchers found that the WatchDog operation uses Go binaries to perform its mining operations across different operating systems using the same binaries. They have identified 18 root IP endpoints and seven malicious domains, which serve at least 125 malicious URL addresses used to download its toolset.

“The WatchDog miner is composed of a three-part Go Language binary set and a bash or PowerShell script file. The binaries perform specific functionality, one of which emulates the Linux Watchdog daemon functionality by ensuring that the mining process does not hang, overload, or terminate unexpectedly. The second Go binary downloads a configurable list of IP addresses net ranges before providing the functionality of targeted exploitation operations of identified NIX or Windows systems discovered during the scanning operation. Finally, the third Go binary script will initiate a mining operation on either Windows or NIX operating systems (OS) using custom configurations from the initiated bash or PowerShell script,” the researchers said.

Reports also suggest that malicious cryptojacking operations are currently estimated to affect 23% of cloud environments, up from 8% in 2018. This increase is primarily caused by the meteoric rise in cryptocurrencies’ valuation.

What is Cryptojacking?

In cryptojacking, cybercriminals perform malicious crypto-mining operations on systems that are not owned by the mining operators. Malicious crypto-mining happens when threat actors compromise computers, laptops, and mobile devices by deploying malicious software to mine or steal cryptocurrencies owned by others.