Hackers target Microsoft SQL and MySQL database servers to deploy the Gh0stCringe remote access trojans on vulnerable devices. The recent Gh0stCringe (also known as CirenegRAT) variant of Gh0stRAT malware was most recently deployed in 2020 Chinese cyber-espionage operations but dates back to 2018. Security researchers have found that the GhostCringe threat actors are targeting database servers with weak account credentials and no oversight, which could lead to more victims.
As mentioned in the article on bleepingcomputer.com, you can see below, the threat actors are breaching the database servers and using the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes to write the malicious ‘mcsql.exe’ executable to disk.
Gh0stCringe was developed based on the source code of publicly released Gh0st RAT. You can see the difference between below:
Malware can be deployed with specific settings concerning their functions, as detailed below:
- Self-copy [On/Off]: If turned on, copies itself to a certain path depending on the mode.
- Mode of execution [Mode]: Can have values of 0, 1, and 2. See below for explanations on the modes.
- File size change [Size]: In Mode #2, the malware copies itself to the path ‘%ProgramFiles%\Cccogae.exe’, and if there is a set value, it adds junk data of the designated size to the back of the file.
- Analysis disruption technique [On/Off]: Obtains the PID of its parent process and the explorer.exe process. If it results in a value of 0, terminates itself.
- Keylogger [On/Off]: If turned on, keylogging thread operates.
- Rundll32 process termination [On/Off] If turned on, executes ‘taskkill /f /im rundll32.exe’ command to terminate the rundll32 process that is running.
- Self-copy file property [Attr]: Sets property to read-only, hidden, and system (FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM).
References:
- https://asec.ahnlab.com/en/32572/
- https://www.bleepingcomputer.com/news/security/unsecured-microsoft-sql-mysql-servers-hit-by-gh0stcringe-malware/
