Key facts:
The new attack mode allows them to enter Linux, macOS and Windows computers.
Postgre servers also have a vulnerability that prevents malware from being detected.
A new form of cryptojacking, a practice also known as covert mining, has come to scourge the web to enrich hackers with Monero. It is a cryptocurrency mining bot detected by the cybersecurity unit of Palo Alto Networks, who say that it affects the PostgreSQL system servers and goes unnoticed by some antivirus.
Malware is being injected into computers remotely, since hackers have managed to exploit a function that allows you to install files to mine Monero without being detected.
PostgreSQL is an object-oriented relational data management system, which is commonly used in proactive data management systems (PDMS), for file storage, web page management, and even geo-location networks.
Due to its free and open source constitution, Postgre has become the fourth most popular data management system on the market. It also has the ability to be used by different operating systems, such as Linux, MacOS and Windows. This feature makes the attack by hackers has a wide margin of operation, and could spread quickly if security measures are not taken.
The researchers named the malware “PGMiner”, and according to their description they have managed to exploit a remote code execution vulnerability (RCE) in the PosgreSQL system. Hackers first make contact with the servers, always connected from the Tor network to avoid their tracking. When they manage to intercept the server, they brute-force attack to crack the PostgreSQL authentication password, which grants them access to all server functions.
The attack can be done from a remote and undetectable location using the Tor network, as well as it can affect a set of PostgreSQL server machines. Source: Palo Alto Networks.
Already within the system, hackers can make use of a function called “Copy from the program”, which allows you to download and run all your mining files without leaving a trace on the computer. This is a feature that has been controversial in the past, as it allows a local or remote user to run a Shell script on operating systems.
An already known bug, but now used to mine Monero
The bug was discussed last year as it was considered a risk to user safety, but shortly afterwards it was devalued since it does not always endanger the system. Faced with this new type of cryptojacking attacks, Palo Alto Networks recommends that Postgre developers take action on the matter and update this option.
The researchers claim that this new mining bot is the first of its kind to be delivered via PostgreSQL. They also highlighted that few security systems detect its appearance, including WildFire, FireWall and Threat Prevention.
Although cybersecurity experts managed to find the mining pool that was using this malware, they were unable to access information on how much profit these individuals have generated with this new covert mining method.
What is known is that cryptojacking techniques are becoming increasingly sophisticated and difficult to detect; There are many cases of malware that can hijack transactions while mining Monero or cases of extortion to their victims, as CriptoNoticias has reported in the past.