Researchers at Aqua Nautilus have discovered a new malware that targets PostgreSQL servers to deploy cryptocurrency mining machines.
The cybersecurity firm has identified more than 800,000 servers at risk from a cryptocurrency hacking campaign targeting PostgreSQL, an open-source relational database management system used to store, manage, and retrieve data for various applications.
According to a research report shared with crypto.news, the so-called “PG_MEM” malware starts by trying to access PostgreSQL databases using a brute force attack and is able to infiltrate the databases using weak passwords.
Once the malware infiltrates the system, it creates a superuser role with administrative privileges, giving it complete control over the database and preventing other users from accessing it. With this control, the malware executes shell commands on the host system, making it easier to download and spread additional malicious payloads.
According to the report, the payloads contain two files designed to allow the malware to evade detection, set up the system to mine cryptocurrencies, and deploy the XMRIG mining tool used to mine Monero (XMR).
XMRIG is often used by perpetrators because Monero transactions are difficult to trace. Last year, an educational platform was hacked in a cryptocurrency hijacking campaign where attackers posted a hidden script that installed XMRIG on every visitor’s system.
Malware Hijacks PostgreSQL Servers to Deploy Cryptocurrency Mining Rigs
Analysts discovered that the malware removes existing cron jobs, which are scheduled tasks that run automatically at specified intervals on the server, and creates new ones to ensure the cryptocurrency mining software continues to run.
This allows the malware to continue its operations even if the server is restarted or if some processes are paused. To remain unnoticed, the malware deletes certain files and logs that can be used to track or identify its activities on the server.
The researchers warned that while the primary goal of the campaign is to spread cryptocurrency mining software, the attackers also gain control of the affected server, highlighting its seriousness.
Cryptocurrency hijacking campaigns targeting PostgreSQL databases have been a recurring threat over the years. In 2020, researchers from Palo Alto Networks’ Unit 42 open A similar cryptocurrency hacking campaign involved the PgMiner botnet. In 2018, the StickyDB botnet was hacked. It was discoveredwhich also infiltrated servers to mine Monero.