Cybersecurity researchers have identified a new malware strain named PG_MEM, which is specifically designed to mine cryptocurrency by infiltrating PostgreSQL database instances through brute-force attacks.
According to Aqua Security researcher Assaf Morag, the attackers exploit weak passwords by repeatedly attempting to guess database credentials until they gain access. Once inside, they use the “COPY … FROM PROGRAM” SQL command to execute arbitrary shell commands on the host, enabling them to carry out malicious activities such as data theft or deploying malware.
The attack sequence observed by the cloud security firm involves targeting poorly configured PostgreSQL databases, creating an administrator role, and exploiting the “PROGRAM” feature to execute shell commands. After successfully brute-forcing the credentials, the attackers conduct reconnaissance and strip the “postgres” user of superuser privileges, limiting access for other potential attackers.
The shell commands used by the attackers download two payloads, PG_MEM and PG_CORE, from a remote server (“128.199.77[.]96”). These payloads terminate competing processes like Kinsing, establish persistence on the host, and deploy a Monero cryptocurrency miner. The attack leverages the PostgreSQL “COPY” command, particularly the “PROGRAM” parameter, to run commands on the server and record the results.
While the primary goal is cryptocurrency mining, the attackers can also execute commands, access data, and take control of the server. This campaign specifically targets PostgreSQL databases with weak passwords, often due to misconfigurations and inadequate identity controls.
The discovery coincides with another opportunistic attack detailed by Datadog Security Labs, where the Log4Shell vulnerability (CVE-2021-44228, CVSS score: 10.0) in Apache Log4j was exploited to deploy an XMRig miner and a reverse shell for remote access.