Threat Research

Analysis of MS-SQL Server Proxyjacking Cases – ASEC BLOG

Securonix

ASEC reports LoveMiner proxyware campaigns targeting poorly managed MS-SQL servers, combining proxyjacking and cryptomining operations. Attackers use multiple proxyware providers (Peer2Profit previously; now IP Royal Pawns, Traffmonetizer, Proxyrack, and PacketStream) and .NET Native AOT dropper variants to deploy malware. #LoveMiner #Peer2Profit #IPRoyalPawns #Traffmonetizer #Proxyrack #PacketStream #winupdate0.mdf

Keypoints

  • Threat actors target publicly accessible MS-SQL servers with weak passwords via brute force or dictionary attacks to gain initial access.
  • LoveMiner serves as both a downloader and loader, with the loader loading XMRig from a memory resource to perform cryptomining.
  • Proxyjacking and cryptomining are conducted together, using proxyware from multiple providers (IPRoyal Pawns, Traffmonetizer, Proxyrack, PacketStream).
  • New attacks show LoveMiner variants and a .NET Native AOT dropper (winupdate0.mdf) similar to prior LoveMiner components.
  • The malware installs various proxyware tools (Traffmonetizer, IPRoyal Pawns, Proxyrack, PacketStream) via a dropper that uses warpstrat.dll as a launcher.
  • Administrators are advised to strengthen MS-SQL passwords, apply patches, and limit external access to reduce risk.

MITRE Techniques

  • [T1110] Brute Force – Used to gain access to poorly managed MS-SQL servers via brute force or dictionary attacks. β€œ[target poorly managed MS-SQL servers and attempt to gain access through brute force or dictionary attacks.]”
  • [T1496] Resource Hijacking – Proxyjacking involves unauthorized proxyware installation to share a portion of bandwidth for profit. β€œ[Proxyjacking involves the unauthorized installation of proxyware on infected systems, which allows threat actors to share a portion of the system’s Internet bandwidth with external sources for financial gain.]”
  • [T1496] Resource Hijacking (Cryptomining) – Loader form loads XMRig to mine cryptocurrency using a memory-resident miner and a configured mining pool. β€œ[…loader loads XMRig, which is stored in the internal resource β€˜gmp’, on the memory side. … the string β€œgmp” used in the resource name is still being used in recent attacks.]”

Indicators of Compromise

  • [Domain] point-of-presence.sock[.]sh – used in campaign infrastructure
  • [File name] winupdate0.mdf – proxyware dropper (new variant)
  • [File name] sdk.mdf – proxyware dropper (older variant)
  • [File name] warpstrat.dll – launcher tool used to execute proxyware
  • [File name] sraffzer.exe – Traffmonetizer proxyware component
  • [File name] settings.json – Traffmonetizer configuration
  • [File name] sqlgo.exe – Proxyrack proxyware component
  • [File name] prokey.obj – Proxyrack device_id store
  • [File name] psexitnode.exe – PacketStream proxyware
  • [File name] SQLSERVERHUP.dll – IPRoyal proxyware component
  • [Credential] gmpgmp@duck[.]com – actor email used with IPRoyal Pawns
  • [MD5] e8997e7d0cfee9875eb64b3aae8cc76a, ec336ebe46d1ed6b0381801d06fb30b4 (Proxyware Dropper and related components)

Read more: https://asec.ahnlab.com/en/56350/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint