An innovative Linux-based cryptocurrency mining botnet was discovered, which used the controversial PostgreSQL remote code execution (RCE) vulnerability to compromise database servers. The researchers say that this malware is unusual in many ways and completely new.
According to the researchers in Palo Alto Networks Unit 42, the miner (called “PGMiner”) used CVE-2019-9193 in PostgreSQL, also known as Postgres, which is a popular production environment for open source relational database management system. They said that this may be the first ever platform-specific encryptor.
“The exploited feature in PostgreSQL is’copy from program’, which was introduced in version 9.3 on September 9, 2013,” according to the researchers in Unit 42, in an article on Thursday. “In 2018 , CVE-2019-9193 was associated with this feature and named it a vulnerability. However, the PostgreSQL community raised questions about this assignment, and CVE was labeled “disputed”.
This feature allows local or remote super users to run shell scripts directly on the server, which is mature for network attackers to use this script. However, as long as superuser privileges are not granted to remote or untrusted users, and the access control and authentication systems are configured correctly, RCE is risk-free. On the other hand, if the configuration is improper, PostgreSQL can allow the RCE on the server operating system to exceed the PostgreSQL software, “if an attacker succeeds in having super user privileges by brute force password or SQL injection,” the researcher said.
The latter situation is exactly what PGMiner accomplishes.
An example of malicious software that is statically linked to the client library (“libpq postgresql”) analyzed in Unit 42 is used to scan the target database server for violence.
“The attacker scans the port 5432 (0x1538) used by PostgreSQLql,” the researcher said. The malware randomly selects the public network range (e.g. 126.96.36.199, 188.8.131.52) to try to perform RCE on the PostgreSQL server. Using the default user “postgres” of the database, the attacker performs a brute force attack on the built-in popular password list (such as 112233 and 1q2w3e4r) to crack the database authentication.
After entering the super user status, the malware uses CVE-2019-9193, a “copy from program” function, to download and launch coin mining scripts, according to the report.
The miner took the fileless method and deleted the PostgreSQL table immediately after the code was launched. The researcher said: PGMiner clears the “abroxu” table (if it exists), creates a new “abroxu” table with text columns, and saves the malicious payload to this table , Execute the payload on the PostgreSQL server, and then clear the created table.
After installation, the malware uses curl to perform tasks. Curl is a command line tool used to transfer data to or from the server. If curl is not available on the victim’s machine, the researchers found that the malicious script will try a variety of methods to download the curl binary file and add it to the execution path, including: From official package management utilities such as apt-get and yum ) Install directly; download the static curl binary file from GitHub; or use /dev/tcp to download, in case the first two methods do not work.
“Although the first two methods are well known, the third method is quite unique,” according to Unit 42. “More interesting is the destination IP address: 94[.]237[.]85[.]89. It connects to the domain newt[.]Kitup[.]Com. When it’s parent domain, please keep it.]com It seems to be a legitimate commercial website. This particular subdomain is redirecting ports 80 to 443, which is used to host a sofa db called newt. Although port 8080 is not open to the public, we believe that the port is already Configure to allow cross-origin resource sharing (CORS).
The next step is to connect to the command and control server (C2) through a SOCKS5 proxy. Then, PGMiner collects system information and sends it to C2 for victim identification to determine which version of the coin mining payload should be downloaded.
The researcher said: “After parsing the IP address of the SOCKS5 proxy server, PGMiner will rotate through the folder list to find the first folder that allows the creation of new files and update their attributes. This ensures that the downloaded malicious payload can be found in Successful execution on the victim’s computer.
The researchers say that the next step is environmental cleanup: it removes cloud security monitoring tools, such as Aegis, and Qcloud monitoring utilities, such as Yunjing; checks virtual machines; terminates all other CPU-intensive processes, such as system updates; and kills Competitor’s mining process.
Of course, the last task is to start stealing CPU processor power to mine Monero.
“During our analysis, we found that PGMiner kept replicating itself by downloading certain modules recursively,” according to the analysis. “[The] The C2 server of this malware series is constantly being updated. Different modules are distributed in different C2s.
The researchers added that the downloaded malware simulates the process of tracking the path to hide its existence.
As for the success or widespread of the botnet, the researchers said that they observed this particular PGMiner sample trying to connect to Monero’s mining pool, but it was not active. Therefore, information about the profit or footprint of the malware is unknown.
To protect their servers, PostgreSQL users can remove the “pg_execute_server_program” privilege from untrusted users, which makes exploits impossible, according to Unit 42. You can also search for and terminate the “tracking path” process, and terminate the process whose process ID (ED) has been tracked by the malware “/tmp/.X11-unix/”.
“PGMiner is exploiting a controversial vulnerability, and this fact helped it to be ignored until we discovered it recently,” the researcher pointed out, adding that it exhibited a lot of new behavior.
“During our analysis, we have observed new technologies such as embedding the identity of the victim in the request, simulating the name of a trusted process, downloading curled binary files through multiple methods, and more aggressively killing all competitor programs. “The company said. Other characteristics (such as the recursive download of malware itself and the frequently changed C2 address) also indicate that PGMiner is still developing rapidly.