Hackers target poorly secured Microsoft SQL and MySQL database servers to deploy the Gh0stCringe remote access Trojans on vulnerable devices.
Gh0stCringe, also known as CirenegRAT, is a variant of Gh0st RAT malware that was last deployed in 2020 Chinese cyber-espionage operations, but dates back to 2018.
In a new report today by cybersecurity firm AhnLab, researchers outline how the threat actors behind GhostCringe target poorly secured database servers with weak account credentials and unattended.
As you can see below, the threat actors violate the database servers and use the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes to write the malicious ‘mcsql.exe’ executable to disk.
MySQL and Microsoft SQL processes write malware files to disk
Source: AhnLab
These attacks are similar to the Microsoft SQL server attacks we reported last February, where Cobalt Strike beacons were removed using the Microsoft SQL command xp_cmdshell.
In addition to Gh0stCringe, AhnLab’s report mentions the presence of multiple malware samples on the examined servers, indicating that competing threat actors breach the same servers to drop payloads for their own campaigns.
Gh0stCringe on the server
Gh0stCringe RAT is a powerful malware that establishes a connection to the C2 server to receive custom commands or squeeze stolen information onto the opponents.
The malware can be configured during deployment with specific settings related to its features, as described below:
Copy yourself [On/Off]: When enabled, it copies itself to a specific path depending on the mode. Method of execution [Mode]: Can have values of 0, 1, and 2. Change file size [Size]: In mode #2, the malware copies itself to the path ‘%ProgramFiles%\Cccogae.exe’, and if there is a set value, it appends unwanted data of the specified size to the back of the file. Analysis disruption technique [On/Off]: Obtains the PID of the parent process and the explorer.exe process. If it returns a value of 0, it terminates itself. key logger [On/Off]: When enabled, the keylogging thread works. Rundll32 Process Termination [On/Off] When enabled, the ‘taskkill /f /im rundll32.exe’ command is executed to end the running rundll32 process. Self-copy file property [Attr]: Sets the property to read-only, hidden, and system (FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM).
The setting data of the RAT (ASEC)
Of the above, the keylogger is arguably the most aggressive part as it is what steals user input from the compromised system.
The keylogging component uses the Windows Polling method (GetAsyncKeyState API) to query the state of each key through an endless loop.
This otherwise reliable logging method introduces the risk of suspiciously high CPU usage, but is unlikely to cause problems for the threat actors on poorly managed servers.
The malware will also monitor keystrokes during the last three minutes and send them with basic system and network information to the malware’s command and control servers.
These logged keystrokes allow the threat actors to steal credentials and other sensitive information that logged in users have entered on the device.
Modes and Commands
CirenegRAT supports four operational modes, namely 0, 1, 2 and a Windows 10 special mode selected by the threat actor during deployment.
Configure the modes how persistence is established through modification of the Windows registry and activation of the self-copy module. For example, mode #0 runs without persistence, while mode #2 establishes persistence and takes into account carbonless settings.
As for the external commands supported by the RAT, they are summarized as follows:
Download and run additional payloads from the C2. Connect to a URL via IE Destroy MBR (master boot record) Keylogging (independent command) Steel clipboard database Collect Tencent related information Update Delete Register Run key Terminate host system Restart NIC Scan for running processes Show message popup
How to secure database servers
First, update your server software to apply the latest available security updates to rule out a range of attacks that exploit known vulnerabilities.
It is also essential to use a strong administrator password that is hard to guess or brute-force.
The most critical step is to place the database server behind a firewall, allowing only authorized devices to access the server.
Finally, monitor all actions to identify suspicious recon activities and use a data access controller for data transaction policy inspection.
This post Unsecured Microsoft SQL, MySQL servers affected by Gh0stCringe malware
was original published at “https://www.bleepingcomputer.com/news/security/unsecured-microsoft-sql-mysql-servers-hit-by-gh0stcringe-malware/”
