The researchers at AhnLab have published a whitepaper regarding the ongoing attacks targeting poorly secured Microsoft SQL and MySQL database servers. By utilizing the flaws in the SQL server security, threat actors are abusing mysqld.exe, mysqld-nt.exe, and sqlservr.exe executables to deploy the mcsql.exe, the malware, to the storage.
Gh0st RAT codes are found
Gh0stCringe malware, which is also known as CirenegRAT, is based on the code of Gh0st RAT; the malware first discovered in December 2018. Part of the Gh0st RAT codes is being used in the Gh0stCringe malware, which can be seen below. Currently, threat actors distribute the malware to the SQL servers that have vulnerable account credentials.
Gh0stCringe connects to a C2 server and performs various malicious behaviors by its orders. The settings data shows that the malware can handle a couple of commands; including a very dangerous feature: keylogging:
- Downloader: Downloads additional payload from the C&C server and executes it. Can send specific arguments.
- Connecting to a specific URL: Connects to a specific website via Internet Explorer There is an option to hide the window so that the user does not notice it.
- Destroying MBR
- Keylogging: Regardless of whether there is settings data or not, keylogging can be performed by the C&C server’s command.
- Stealing clipboard: Steals the saved data to the current clipboard.
- Collecting Tencent-related file information: Collects the list of files in the path ‘%APPDATA%\Tencent\Users\’, and it is assumed that it would normally include user data related to QQ Messenger.
- Update: Updates the malware
- Uninstall: Deletes the registered service and self-deletes using a batch file. Also deletes the keylogging data Default.key file.
- Service control: Changes the ‘Host’ or ‘ConnectGroup’ item for the malware service (‘Rsuyke mkgcgkuc’).
- Event Cleanup
- Registering Run Key: Registers Run Key for the path ‘C:\Program Files\Common Files\scvh0st.exe’.
- Terminating system
- Rebooting NIC
Additional Module Control
Downloads an additional module from the C&C server to memory and loads it to call the following export function. Judging by the export function, the first module appears to be a proxy-related module, and the second module appears to be a Plugin module with additional features.
- Module #1: Export function OpenProxy(), CloseProxy()
- Module #2: Export function PluginMe()
- Scanning whether a certain process is running
- Scanning for the existence of certain Windows
- Writing for a certain registry: ‘HKLM\SYSTEM\Clore / Clore’
- Message pop-up
Since the hackers aim the poorly-managed SQL database servers, there is no actual security flaw in the software; that means there won’t be a security patch for software to fix those issues. Taking the necessary measures such as keeping the software up-to-date, using complicated admin passwords, setting database server behind a firewall, and constantly monitoring the events for identifying suspicious activities will do the trick.