An innovative Linux-based cryptocurrency mining botnet has been uncovered, which exploits a disputed PostgreSQL remote code-execution (RCE) vulnerability to compromise database servers. The malware is unusual and completely novel in a host of ways, researchers said.
According to researchers at Palo Alto Networksâ Unit 42, the miner (dubbed âPGMinerâ) exploits CVE-2019-9193 in PostgreSQL, also known as Postgres, which is a popular open-source relational database management system for production environments. They said this could be the first-ever cryptominer that targets the platform.
âThe feature in PostgreSQL under exploitation is âcopy from program,â which was introduced in version 9.3 on Sept. 9, 2013,â according to Unit 42 researchers, in a Thursday post. âIn 2018, CVE-2019-9193 was linked to this feature, naming it as a vulnerability. However, the PostgreSQL community challenged this assignment, and the CVE has been labeled as âdisputed.'â
Click to register.
They added, âit is notable that malware actors have started to weaponize not only confirmed CVEs, but also disputed ones.â
The feature allows a local or remote superuser to run shell script directly on the server, which is ripe for exploitation by cyberattackers. However, thereâs no risk for RCE as long as the superuser privilege is not granted to remote or untrusted users, and the access control and authentication system is properly configured, according to Unit 42. On the other hand, if itâs not properly configured, PostgreSQL can allow RCE on the serverâs OS beyond the PostgreSQL software, âif the attacker manages to own the superuser privilege by brute-forcing password or SQL injection,â researchers said.
The latter scenario is exactly what PGMiner accomplishes.
The malware sample that Unit 42 analyzed statically links to a client library (âlibpq postgresqlâ), which is used to scan for target database servers to be brute forced.
âThe attacker scans port 5432 (0x1538), used by PostgreSQLql,â researchers said. âThe malware randomly picks a public network range (e.g., 190.0.0.0, 66.0.0.0) in an attempt to perform RCE on the PostgreSQL server. With the user âpostgres,â which is the default user of the database, the attacker performs a brute-force attack iterating over a built-in list of popular passwords such as 112233 and 1q2w3e4r to crack the database authentication.â
After breaking in with superuser status, the malware uses CVE-2019-9193, a âcopy from programâ feature, to download and launch the coin-mining scripts, according to the report.
The miner takes a fileless approach, deleting the PostgreSQL table right after code launch, researchers said: PGMiner clears the âabroxuâ table if it exists, creates a new âabroxuâ table with a text column, saves the malicious payload to it, executes the payload on the PostgreSQL server and then clears the created table.
Once installed, the malware uses curl to carry out tasks. Curl is a command-line tool to transfer data to or from a server. If curl isnât available on the victimâs machine, researchers found that the malicious script tries multiple approaches to download the curl binary and add it to the execution paths, including: Direct installation from official package management utilities like apt-get and yum; downloading the static curl binary from GitHub; or downloading it using /dev/tcp in case the first two ways donât work.
âWhile the first two approaches are well-known, the third one is quite unique,â according to Unit 42. âWhatâs more interesting is the target IP address: 94[.]237[.]85[.]89. It is connected to the domain newt[.]keetup[.]com. While its parent domain, keepup[.]com, seems like a legitimate business website, this particular subdomain is redirecting port 80 to 443, which is used to host a couchdb named newt. Although port 8080 is not open to the public, we believe it has been configured to allow Cross-Origin Resource Sharing (CORS).â
The next step is connecting to the command-and-control server (C2) via SOCKS5 proxies. Then, PGMiner collects system information and sends it to the C2 for victim identification to determine which version of the coin-mining payload should be downloaded.
âAfter resolving the SOCKS5 proxy server IP address, PGMiner rotates through a list of folders to find the first one that allows permission to create a new file and update its attributes,â researchers said. âThis ensures the downloaded malicious payload can successfully execute on the victimâs machine.â
The next step, researchers said, is environment cleanup: It removes cloud security monitoring tools such as Aegis, and Qcloud monitor utilities such as Yunjing; checks for virtual machines; kills all other CPU intensive processes such as system updates; and kills competitor mining processes.
The last task of course is to begin stealing CPU processor power to mine for Monero.
âDuring our analysis, we found that PGMiner constantly reproduces itself by recursively downloading certain modules,â according to the analysis. â[The] C2 server for this malware family is constantly updating. Different modules are distributed across different C2s.â
The downloaded malware impersonates the tracepath process to hide its presence, researchers added.
As for how successful or widespread the botnet is, the researchers said they observed this particular PGMiner sample attempting to connect to a mining pool for Monero, but it wasnât active. So, information about the malwareâs profit or footprint is unknown.
To protect their servers, PostgreSQL users can remove the âpg_execute_server_programâ privilege from untrusted users, which makes the exploit impossible, according to Unit 42. Itâs also possible to search and kill the âtracepathâ process, and kill the processes whose process IDs (PIDs) have been tracked by the malware in â/tmp/.X11-unix/â.
âThe fact that PGMiner is exploiting a disputed vulnerability helped it remain unnoticed until we recently uncovered it,â researchers noted, adding that it exhibits a raft of novel behavior.
âDuring our analysis, we observed new techniques, such as embedding victim identification in the request, impersonating a trusted process name, downloading curl binary via multiple approaches and more and aggressively killing all competitor programs,â according to the firm. âOther traits, such as the malware recursively downloading itself and frequently changing C2 addresses, also indicate PGMiner is still rapidly evolving.â
It could easily evolve to target Windows and macOS as well, researchers added.
_Put Ransomware on the Run: Save your spot for âWhatâs Next for Ransomware,â a _FREE Threatpost webinar_ on Dec. 16 at 2 p.m. ET. Find out whatâs coming in the ransomware world and how to fight back. _
_Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. _Register here_ for the Wed., Dec. 16 for this LIVE webinar._
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9193
threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar
threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar
threatpost.com/webinars/whats-next-for-ransomware/?utm_source=ART&utm_medium=ART&utm_campaign=Dec_webinar/
unit42.paloaltonetworks.com/pgminer-postgresql-cryptocurrency-mining-botnet/