Hackers target poorly secured Microsoft SQL and MySQL database servers to deploy the Gh0stCringe remote access trojans on vulnerable devices.
Gh0stCringe, aka CirenegRAT, is a variant of Gh0st RAT malware that was most recently deployed in 2020 Chinese cyber-espionage operations but dates as far back as 2018.
In a new report today by cybersecurity firm AhnLab, researchers outline how the threat actors behind GhostCringe are targeting poorly secured database servers with weak account credentials and no oversight.
As you can see below, the threat actors are breaching the database servers and using the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes to write the malicious ‘mcsql.exe’ executable to disk.
These attacks are similar to the Microsoft SQL server attacks we reported last February, which dropped Cobalt Strike beacons using the Microsoft SQL
In addition to Gh0stCringe, AhnLab’s report mentions the presence of multiple malware samples on the examined servers, indicating competing threat actors are breaching the same servers to drop payloads for their own campaigns.
Gh0stCringe on the server
Gh0stCringe RAT is a powerful malware that establishes a connection with the C2 server to receive custom commands or exfiltrate stolen information to the adversaries.
The malware can be configured during deployment with specific settings concerning its functions, as detailed below:
- Self-copy [On/Off]: If turned on, it copies itself to a certain path depending on the mode.
- Mode of execution [Mode]: Can have values of 0, 1, and 2.
- File size change [Size]: In Mode #2, the malware copies itself to the path ‘%ProgramFiles%\Cccogae.exe’, and if there is a set value, it adds junk data of the designated size to the back of the file.
- Analysis disruption technique [On/Off]: Obtains the PID of its parent process and the explorer.exe process. If it results in a value of 0, terminates itself.
- Keylogger [On/Off]: If turned on, the keylogging thread operates.
- Rundll32 process termination [On/Off] If turned on, executes ‘taskkill /f /im rundll32.exe’ command to terminate the rundll32 process that is running.
- Self-copy file property [Attr]: Sets property to read-only, hidden, and system (FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM).
Of the above, the keylogger is maybe the most aggressive component as this is what steals user inputs from the compromised system.
The keylogging component uses the Windows Polling method (GetAsyncKeyState API) for querying the state of every key through an endless loop.
This otherwise reliable logging method introduces the risk of suspiciously high CPU usage, but in poorly managed servers, this is unlikely to cause problems to the threat actors.
The malware will also monitor the keypresses for the last three minutes and send them with basic system and network information to the malware’s command and control servers.
These logged keystrokes will allow the threat actors to steal login credentials and other sensitive information that logged-in users entered on the device.
Modes and commands
CirenegRAT supports four operational modes, namely 0, 1, 2, and a special Windows 10 mode, selected by the threat actor during deployment.
The modes configure how persistence is established via the modification of the Windows registry and the activation of the self-copy module. For example, Mode #0 is running without persistence, while Mode #2 establishes persistence and considers self-copy settings.
As for the remote commands supported by the RAT, these are summed up in the following:
- Download additional payloads from the C2 and execute them.
- Connect to a URL via IE
- Destroy MBR (master boot record)
- Keylogging (independent command)
- Steal clipboard database
- Collect Tencent-related information
- Register Run Key
- Terminate host system
- Reboot NIC
- Scan for running processes
- Display message pop-up
How to secure database servers
First, update your server software to apply the latest available security updates, which helps exclude a range of attacks that leverage known vulnerabilities.
It is also essential to use a strong admin password that is hard to guess or brute-force.
The most crucial step is to place the database server behind a firewall allowing only authorized devices to access the server.
Finally, monitor all actions to identify suspicious reconnaissance activity and use a data access controller for data transaction policy inspection.