Full Report
Researchers have discovered a new PostgreSQL malware called PG_MEM, which uses brute force attacks to access databases, hide its operations, and mine cryptocurrency. The attack involves creating a superuser role, delivering two malware payloads, and evading detection while eli...
Analysis Summary
# Tool/Technique: PG\_MEM
## Overview
PG\_MEM is a newly discovered PostgreSQL malware designed to compromise misconfigured database instances. Its primary goals are to gain persistent access, evade detection, and hijack compromised resources for cryptocurrency mining.
## Technical Details
- Type: Malware family
- Platform: PostgreSQL (Targets PostgreSQL instances)
- Capabilities: Brute force access, persistence via superuser creation, payload delivery, cryptocurrency mining, competitive elimination.
- First Seen: August 19, 2024 (Publication Date)
## MITRE ATT&CK Mapping
*Note: Specific technique IDs are implied based on reported actions; precise mapping depends on full technical write-up.*
- **TA0001 - Initial Access**
- T1110 - Brute Force
- T1190 - Exploit Public-Facing Application (Implied via misconfiguration abuse)
- **TA0003 - Persistence**
- T1548.003 - Abuse Extension (If persistence is achieved via PostgreSQL extensions/functions)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Implied by hiding operations)
- **TA0011 - Command and Control**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell (If Windows target) / T1059.004 - Command and Scripting Interpreter: Unix Shell (If Linux target)
- **TA0008 - Lateral Movement / TA0010 - Execution**
- T1204.002 - User Execution: Malicious File (If users interact with delivered payloads)
## Functionality
### Core Capabilities
- **Initial Access:** Exploits weaknesses in PostgreSQL configurations, primarily through password brute forcing.
- **Persistence:** Establishes long-term access by creating a new superuser role within the database.
- **Resource Hijacking:** Deploys cryptocurrency miners (leveraging the **XMRig** tool).
- **Competitive Elimination:** Processes include steps to eliminate competitive mining software already present on the system.
### Advanced Features
- **Detection Evasion:** Implements techniques to hide its active operations within the database environment.
- **Dual Payload Delivery:** Involves the delivery of two distinct malware payloads post-compromise.
- **Command Execution Abuse:** Leverages PostgreSQL's native command execution capabilities for deployment and maintenance.
## Indicators of Compromise
- File Hashes: [Not specified in the provided text]
- File Names: [Not specified in the provided text; payloads are delivered post-access]
- Registry Keys: [Not applicable to PostgreSQL core operation, but potentially system files/directories for payloads]
- Network Indicators: [Not specified in the provided text, C2 generally implied for updates/configuration/exfiltration]
- Behavioral Indicators:
- Successful PostgreSQL brute force attempts.
- Creation of new database roles with superuser privileges.
- Execution of system commands initiated via PostgreSQL functions.
- Presence of XMRig processes consuming significant CPU resources originating from a database context.
## Associated Threat Actors
- JINX-0126
## Detection Methods
- **Signature-based detection:** Signatures for the delivered payloads or known XMRig configurations masquerading as PostgreSQL artifacts.
- **Behavioral detection:** Monitoring for anomalous database role creation (especially superusers) and outbound connections/high CPU usage inconsistent with standard database operations.
- **YARA rules:** Not specified.
## Mitigation Strategies
- **Prevention:** Enforce strong, unique passwords for all database accounts, especially superuser roles.
- **Hardening Recommendations:** Disable or strictly limit PostgreSQL command execution capabilities (e.g., `COPY TO/FROM PROGRAM`) unless absolutely required and properly secured. Restrict network access to PostgreSQL instances only to necessary hosts. Regularly audit database users and roles.
## Related Tools/Techniques
- **XMRig**: Utilized by PG\_MEM for the final cryptocurrency mining objective.
- General PostgreSQL Misconfiguration Exploitation.