A recent investigation by Wiz Threat Research has discovered a cryptomining campaign targeting publicly exposed PostgreSQL servers. This new campaign deploy’s XMRig-C3 cryptominers, that can bypass detection. Tracked as JINX-0126, the campaign was initially documented by Aqua Security but has since adapted to enhance its stealth capabilities.

The Big Picture

                              Attack Chain(Source:WizResearch)

The attackers are using brute-force techniques to gain access to PostgreSQL instances using guessable credentials. Once access is obtained, they exploit the ‘COPY … FROM PROGRAM‘ function to drop and execute malicious scripts. The threat actors then deploy cryptominers filelessly, making detection challenging for conventional security tools that rely on file hash reputation.

The primary malicious binary, named ‘postmaster’ to mimic the PostgreSQL database server, is packed with a modified UPX to evade analysis. This campaign also uses encrypted configuration data to modify binaries to ensure persistence and stealth. The attackers also created privileged user roles and modify system configurations to maintain long-term access.

Impact

                              Source: WizResearch

Security researchers identified unique mining worker IDs associated with the infected servers and linked three different cryptocurrency wallets to the threat actor. Analysis of these wallets on C3Pool indicates that more than 1,500 machines have likely been compromised.

Conclusion

Experts advises advises cloud administrators to review PostgreSQL configurations and ensure that public exposure is minimized. Strengthening authentication and monitoring suspicious activity can significantly reduce the risk of compromise.

IOCs

Wallets

  • 4A5ZWpHM6BXS8YF7xNfjXA5ctDjTC3GBwS4ESBV9X2BGVJV8vkfXBeZfXG6w2hmdkpZaogCXiqU4DYPXn3TtPRAGJBLQ7N5
  • 47pt9WzQyugFQpSAwcGN2k8JHiMQ3fRZ3BQqmnYJtcejVq9adfiwVSWgrpmxiYTxvvWcHv5dD2iCaiBYiK4atkMSUGMXdx8
  • 463TBt8Rn1qXWZDpTV4ydxQcZnkJNeLv6JRKjFbzFsY3MQZaxWsUgQF4QnxNAg8MGSPsiLn9faTWqRafHnhh3QBdSLTgRHA

Others

  • 159.223.123.175:36287
  • mine[.]c3pool.com:13333
  • XMRig-C3 miner 0b907eee9a85d39f8f0d7c503cc1f84a71c4de10
  • pg_core 85198288e2ff1dad718cd84876a0b0d3173a641e
  • e6578bb7b88bf08a35ba4b0f2dd75af32e8fe65d33d329ca5beaf8a8ce29d7e1

Source:hxxps[://]www[.]wiz[.]io/blog/postgresql-cryptomining

Follow us on X and Linkedin for the latest cybersecurity news