Security researchers from AhnLab have come across a campaign in which attackers install a backdoor on poorly secured Microsoft SQL and MySQL servers. This is the remote access Trojan Gh0stCringe. It is suspected that the infection occurs via cracked admin access to the servers. Here is some brief information about it.
The colleagues at Bleeping Computer addressed the whole thing in the following tweet as well as in this post. The details can be read in the blog post Gh0stCringe RAT Being Distributed to Vulnerable Database Servers by AhnLabs on ASEC.
Gh0stCringe is also known as CirenegRAT. This is one of the malware variants based on the (publicly available) code of Gh0st RAT. It was first discovered in December 2018 and known to spread via SMB vulnerability (using ZombieBoy's SMB vulnerability tool). Recently, Gh0stCringe RAT was discovered to be distributed to vulnerable database servers.
Gh0stCringe-related logs in AhnLab's ASD show that logs were created not only by the sqlservr.exe process (MS SQL server), but also by the MySQL server process for Windows environments (see figure above). Vulnerable as a server could mean: not up to date with the latest updates and possibly secured with bad passwords. However, since it affects both MS-SQL servers and MySQL servers, AhnLabs assumes that Gh0stCringe targets poorly managed DB servers with vulnerable credentials. The maware can perform various functions, in addition to C&C commands. Here are possible commands:
- Self-copy [On/Off]: If this function is enabled, it copies itself to a certain path, depending on the mode.
- Mode of execution [Mode]: Can have the values 0, 1 and 2 (for explanation see the following text and at AhnLabs in the article).
- File size change [Size]: In mode 2, the malware copies itself to the path "%ProgramFiles%\Cccogae.exe" and, at a certain value, appends junk data of the specified size to the back of the file.
- Analysis disruption technique [On/Off]: Determines the PID of the parent process and the explorer.exe process. If the value is 0, it terminates itself.
- Keylogger [On/Off]: If enabled, the keylogger thread works.
- Rundll32 process termination [On/Off]: If enabled, the command 'taskkill /f /im rundll32.exe' is executed to terminate the running rundll32 process.
- Self-copy file property [Attr]: Sets the property to read-only, hidden and system (FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM).
Details on how to detect infection have been published by the security researchers in their article.
Cookies helps to fund this blog: Cookie settings