An innovative Linux-based cryptocurrency mining botnet has been uncovered, which exploits a disputed PostgreSQL remote code-execution (RCE) vulnerability to compromise database servers. The malware is unusual and completely novel in a host of ways, researchers said.
According to researchers at Palo Alto Networks’ Unit 42, the miner (dubbed “PGMiner”) exploits CVE-2019-9193 in PostgreSQL, also known as Postgres, which is a popular open-source relational database management system for production environments. They said this could be the first-ever cryptominer that targets the platform.
“The feature in PostgreSQL under exploitation is ‘copy from program,’ which was introduced in version 9.3 on Sept. 9, 2013,” according to Unit 42 researchers, in a Thursday post. “In 2018, CVE-2019-9193 was linked to this feature, naming it as a vulnerability. However, the PostgreSQL community challenged this assignment, and the CVE has been labeled as ‘disputed.'”
They added, “it is notable that malware actors have started to weaponize not only confirmed CVEs, but also disputed ones.”
The feature allows a local or remote superuser to run shell script directly on the server, which is ripe for exploitation by cyberattackers. However, there’s no risk for RCE as long as the superuser privilege is not granted to remote or untrusted users, and the access control and authentication system is properly configured, according to Unit 42. On the other hand, if it’s not properly configured, PostgreSQL can allow RCE on the server’s OS beyond the PostgreSQL software, “if the attacker manages to own the superuser privilege by brute-forcing password or SQL injection,” researchers said.
The latter scenario is exactly what PGMiner accomplishes.
The malware sample that Unit 42 analyzed statically links to a client library (“libpq postgresql”), which is used to scan for target database servers to be brute forced.
“The attacker scans port 5432 (0x1538), used by PostgreSQLql,” researchers said. “The malware randomly picks a public network range (e.g., 18.104.22.168, 22.214.171.124) in an attempt to perform RCE on the PostgreSQL server. With the user ‘postgres,’ which is the default user of the database, the attacker performs a brute-force attack iterating over a built-in list of popular passwords such as 112233 and 1q2w3e4r to crack the database authentication.”
After breaking in with superuser status, the malware uses CVE-2019-9193, a “copy from program” feature, to download and launch the coin-mining scripts, according to the report.
The miner takes a fileless approach, deleting the PostgreSQL table right after code launch, researchers said: PGMiner clears the “abroxu” table if it exists, creates a new “abroxu” table with a text column, saves the malicious payload to it, executes the payload on the PostgreSQL server and then clears the created table.
Once installed, the malware uses curl to carry out tasks. Curl is a command-line tool to transfer data to or from a server. If curl isn’t available on the victim’s machine, researchers found that the malicious script tries multiple approaches to download the curl binary and add it to the execution paths, including: Direct installation from official package management utilities like apt-get and yum; downloading the static curl binary from GitHub; or downloading it using /dev/tcp in case the first two ways don’t work.
“While the first two approaches are well-known, the third one is quite unique,” according to Unit 42. “What’s more interesting is the target IP address: 94[.]237[.]85[.]89. It is connected to the domain newt[.]keetup[.]com. While its parent domain, keepup[.]com, seems like a legitimate business website, this particular subdomain is redirecting port 80 to 443, which is used to host a couchdb named newt. Although port 8080 is not open to the public, we believe it has been configured to allow Cross-Origin Resource Sharing (CORS).”
The next step is connecting to the command-and-control server (C2) via SOCKS5 proxies. Then, PGMiner collects system information and sends it to the C2 for victim identification to determine which version of the coin-mining payload should be downloaded.
“After resolving the SOCKS5 proxy server IP address, PGMiner rotates through a list of folders to find the first one that allows permission to create a new file and update its attributes,” researchers said. “This ensures the downloaded malicious payload can successfully execute on the victim’s machine.”
The next step, researchers said, is environment cleanup: It removes cloud security monitoring tools such as Aegis, and Qcloud monitor utilities such as Yunjing; checks for virtual machines; kills all other CPU intensive processes such as system updates; and kills competitor mining processes.
The last task of course is to begin stealing CPU processor power to mine for Monero.
“During our analysis, we found that PGMiner constantly reproduces itself by recursively downloading certain modules,” according to the analysis. “[The] C2 server for this malware family is constantly updating. Different modules are distributed across different C2s.”
The downloaded malware impersonates the tracepath process to hide its presence, researchers added.
As for how successful or widespread the botnet is, the researchers said they observed this particular PGMiner sample attempting to connect to a mining pool for Monero, but it wasn’t active. So, information about the malware’s profit or footprint is unknown.
To protect their servers, PostgreSQL users can remove the “pg_execute_server_program” privilege from untrusted users, which makes the exploit impossible, according to Unit 42. It’s also possible to search and kill the “tracepath” process, and kill the processes whose process IDs (PIDs) have been tracked by the malware in “/tmp/.X11-unix/”.
“The fact that PGMiner is exploiting a disputed vulnerability helped it remain unnoticed until we recently uncovered it,” researchers noted, adding that it exhibits a raft of novel behavior.
“During our analysis, we observed new techniques, such as embedding victim identification in the request, impersonating a trusted process name, downloading curl binary via multiple approaches and more and aggressively killing all competitor programs,” according to the firm. “Other traits, such as the malware recursively downloading itself and frequently changing C2 addresses, also indicate PGMiner is still rapidly evolving.”
It could easily evolve to target Windows and macOS as well, researchers added.
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.