Over 800k servers at risk due to new cryptojacking malware exploiting PostgreSQL

Researchers at Aqua Nautilus have uncovered a new malware that targets PostgreSQL servers to deploy cryptocurrency miners.

A cybersecurity firm has identified more than 800,000 servers potentially vulnerable to a cryptocurrency attack targeting PostgreSQL, an open-source relational database management system used to store, manage and retrieve data for a variety of applications.

According to a research report shared with Crypto.news, the malware, dubbed “PG_MEM,” starts by trying to access PostgreSQL databases via a brute-force attack and manages to infiltrate databases with weak passwords.

Once the malware infiltrates the system, it creates a superuser role with administrative privileges, which allows it to take full control of the database and block access from other users. With this control, the malware executes shell commands on the host system, facilitating the download and distribution of additional malicious payloads.

The report stated that two files were included that were designed to enable the malware to evade detection, set up the system for cryptocurrency mining, and distribute the XMRIG mining tool used for mining Monero (XMR).

XMRIG is frequently used by threat actors due to Monero’s difficult-to-trace transactions. Last year, an educational platform was compromised in a cryptocurrency hijacking campaign where attackers deployed a hidden script that loaded XMRIG onto every visitor’s system.

Malware hijacks PostgreSQL servers to deploy crypto miners

Analysts found that the malware removes existing cron jobs, which are scheduled tasks that run automatically at certain intervals on a server, and creates new jobs to ensure the crypto miner continues to operate.

This allows the malware to continue its operations even if the server is rebooted or some processes are temporarily stopped. To remain unnoticed, the malware deletes certain files and logs that can be used to track or identify its activities on the server.

Researchers noted that the primary goal of the campaign was to introduce a cryptocurrency miner, but the attackers also took control of the affected server, further demonstrating the seriousness of the attack.

Cryptocurrency exfiltration campaigns targeting PostgreSQL databases have been a recurring threat over the years. In 2020, researchers at Palo Alto Networks’ Unit 42 uncovered a similar cryptocurrency exfiltration campaign involving the PgMiner botnet. In 2018, the StickyDB botnet was discovered infiltrating servers to mine Monero.