Gh0stCringe RAT Attacks Vulnerable Microsoft SQL

The cybersecurity experts at the ASEC security firm have recently identified that hackers are actively targeting the vulnerable Microsoft SQL and MySQL database servers to deploy the Gh0stCringe RAT.

Gh0stCringe that is also known as CirenegRAT, is a variant of Gh0st RAT malware, this malware was mostly exploited by Chinese hackers for cyber-espionage operations between 2018 and 2020.

The first report of this RAT was made in December 2018, and distribution was accomplished through the use of an SMB vulnerability.

By compromising the database servers, the threat actors are attempting to download the malicious mcsql.exe executable to the disk via the following processes:- 

  • mysqld.exe
  • mysqld-nt.exe
  • sqlserver.exe

By using the Microsoft SQL xp_cmdshell command the threat actors dropped Cobalt Strike beacons last February and now it has been detected that all these current attacks are identical to the Microsoft SQL server attacks.

Gh0stCringe RAT on the Server

To receive custom commands from the threat actors and exfiltrate all the stolen data to the adversaries, the Gh0stCringe RAT establishes a connection with the C2 server.

In Gh0stCringe RAT, the most aggressive element is the keylogger, as from the compromised system it steals the user inputs. Keylogging can be activated according to the settings data, or it can be controlled by a command received from the command and control server.

Apart from this, in an endless loop, the keylogging component queries the state of every key using the Windows Polling method (GetAsyncKeyState API).

Here, the malware monitors the keypresses, basic information about the system and network to send them to the command and control servers of the malware.

Gh0stCringe RAT’s Settings

In total, there are 7 settings, and here below we have mentioned them all:-

  • Self-copy [On/Off]: If turned on, it copies itself to a certain path depending on the mode.
  • Mode of execution [Mode]: Can have values of 0, 1, and 2.
  • File size change [Size]: In Mode #2, the malware copies itself to the path ‘%ProgramFiles%\Cccogae.exe’, and if there is a set value, it adds junk data of the designated size to the back of the file.
  • Analysis disruption technique [On/Off]: Obtains the PID of its parent process and the explorer.exe process. If it results in a value of 0, terminates itself.
  • Keylogger [On/Off]: If turned on, the keylogging thread operates.
  • Rundll32 process termination [On/Off]: If turned on, executes ‘taskkill /f /im rundll32.exe’ command to terminate the rundll32 process that is running.
  • Self-copy file property [Attr]: Sets property to read-only, hidden, and system (FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM).

Commands supported by Gh0stCringe

The remote commands that are supported by the Gh0stCringe RAT are:-

  • Download additional payloads from the C2 and execute them.
  • Connect to a URL via IE
  • Destroy MBR (master boot record)
  • Keylogging (independent command)
  • Steal clipboard database
  • Collect Tencent-related information
  • Update
  • Uninstall
  • Register Run Key
  • Terminate host system
  • Reboot NIC
  • Scan for running processes
  • Display message pop-up


To mitigate such threat, the cybersecurity analysts at ASEC has recommended the following mitigations:-

  • Immediately apply the latest available security updates.
  • Keep your system and server updated.
  • Always use complex passwords.
  • Make sure to enable two-factor authentication.
  • Always use robust security practices.
  • Always use robust security tools.
  • Monitor all the actions and system logs to determine suspicious activity.
  • Frequently change your passwords.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.