The security researchers of Palo Alto Networks have detected a unique Linux-based cryptocurrency mining botnet. This botnet exploits a disputed PostgreSQL remote code execution (RCE) vulnerability so that it can compromise database servers.
This botnet is one of the latest cybercrime operations list that targets web-tech for earning profits. The researchers named the botnet “PGMiner”; however, PostgreSQL is also known as Postgres.
It is one of the most-used open-source relational database management systems (RDBMS) for all kinds of production environments. The DB-Engines stated that PostgreSQL stands in the fourth position among all database management systems (DBMS).
Characteristics of the PgMiner Botnet
According to cybersecurity researchers, there are some notable characteristics of PGMiner botnet, and here we have mentioned them below:-
- Remove the PostgreSQL table soon after the code launch to gain fileless execution.
- Accumulate system data and send it to the command and control (C2) server for victim testimony.
- Hire traditional and novel strategies to download curl binary in case the command is not accessible on the victim’s machine.
- Represent the “tracepath” method to protect its presence.
- Try to kill its rival programs for better monetization.
The experts have summarized the whole attack process of this botnet; And according to the experts, this malicious payload is released via PostgreSQL, which corresponds to the backend C2 servers by SOCKS5 proxies; once it is done with the communication process than it downloads the coin mining payloads that are based on the system design.
After investigating the attack, the experts affirmed that this PGMiner continually reproduces itself by recursively downloading individual modules. Moreover, the contracted C2 for each stage is designated with a dark green color.
On the other side, the samples are mentioned in light blue boxes, which have been widely studied in earlier research work by cybersecurity experts.
The botnet irregularly picks a public network range, and later, it repeats through all IP addresses that are part of the range. And after that, it Searches for systems that have the PostgreSQL port that are exposed online.
Incase, PgMiner detects an active PostgreSQL system, then the botnet moves from the scanning stage to its brute-force state. In this stage, the botnet starts shuffling through a long list of passwords to guess the credentials for “Postgres,” the default PostgreSQL account.
Resolving SOCKS5/TOR Relay Server Name and Fetch Payloads From C2 and Launch PGMiner
The C2 hostname is being updated to nssnkct6udyyx6zlv4l6jhqr5jdf643shyerk246fs27ksrdehl2z3qd[.]onion. Moreover, the PGMiner also uses the SOCKS5 proxy method to interact with the C2, and it has been described in the SystemdMiner variant.
Once it resolves the SOCKS5 proxy server IP, it starts finding the first one that allows permission to it to create a new file and then update its attributes, and to do so, the PGMiner revolves around a list of folders.
This whole procedure simply confirms that the malicious payload that is downloaded can be executed on the victim’s machine.
- The experts have suggested some mitigation to protect the Firewall of the customers against PGMiner through the WildFire and Threat Prevention security subscriptions.
- The experts urge the PostgreSQL users to extract the “pg_execute_server_program” privilege from untrusted users, as it makes the exploit absurd.
- The users are recommended to download software from all trusted sources, maintain strong and secure passwords, and employ patches quickly.
Apart from this, the security experts are still investigating the botnet to find some more information and data regarding it. This botnet is unique as it uses a different kind of technique and process to attack the users.
The experts also affirmed that after analyzing the botnet, they found that the malware seeks to better track victims, execute, hide, and monetize.