Expositive postgresql examples are the goal of an ongoing campaign designed to achieve unauthorized access and deploy cryptocurrency miners.
Cloud Security firm Vij stated that activity is a type of an intrusion set that was first flagged by Aqua Security in August 2024 that included a malware strain dubbed PG_Mem. The campaign has been held responsible for a danger actor Vij track as Jinx-0126.
“Threatening the actor has developed since then, implementing defense theft techniques such as deploying the binergies with a unique hash and executing the minor payload impartially – is likely to detect by – [cloud workload protection platform] The solutions that perfectly rely on the file hash reputation, “the researchers said Avigyel Matchinger, Yara Shiki and Gili Tikocheinski.
WIZ has also revealed that the campaign has claimed more than 1,500 victims to date, indicating that publicly exposed postgracecuel examples are sufficient with weak or predicable credentials that become an attack target for opportunistic danger actors.
The most specific aspect of the campaign is the misuse of the copy … to execute the arbitrary shell command on the host from the program SQL command.
The successful access to the weakly configured postgresql services is used to operate the initial reconnaissance and to release a base 64-encoded payload, which is in fact, a shell script that kills competing cryptocurrency miners and leaves a binary pg_core.
Also downloaded for the server is an obfuscated Gold Binary Koden Postmaster that mimics a valid postgresql multi-user database server. It is designed to establish firmness on the host using a chronic job, create a new role with advanced privileges, and write another binary that is written in discs to CPU_hu.
CPU_HU, for its share, downloads the latest version of XMRIG miner from GITHUB and launches it through a known Linux fileless technique referred to as Memfd.
“Danger the actor is handing over each victim to a unique mining worker,” Vij said, identifying it three different wallets associated with the danger actor. “Each wallet had around 550 workers. Joint, it suggests that the campaign could take advantage of more than 1,500 compromise machines.”
