Monero Mining Botnet Targets PostgreSQL Database ServersResearchers: 'PGMiner' Malware Uses Brute-Force Methods to Guess Passwords
Researchers with Palo Alto Networks' Unit 42 are tracking a relatively new cryptomining botnet called "PGMiner," which is targeting vulnerable PostgreSQL database servers to illegally mine for monero.
PostgreSQL is one of the most-used open-source relational database management systems for production environments. The Unit 42 report says this might be the first time a botnet has targeted this type of database to mine for cryptocurrency.
"We named the cryptocurrency mining botnet 'PGMiner' after its delivery channel and mining behavior," the Unit 42 researchers note in their report. "At its core, PGMiner attempts to connect to the mining pool for monero mining."
The botnet now only targets vulnerable Linux-based servers that support PostgreSQL databases. But the researchers note that the operators behind PGMiner could eventually switch tactics to target Windows and even macOS-based systems as well because the database works with various operating systems.
Other Linux Botnets
PGMiner is one of several botnets targeting Linux devices, usually to mine for cryptocurrency. Last month, researchers with Intezer Labs noted that the Linux version of the Stantinko botnet had recently been updated to better mine for cryptocurrency and deliver malware, such as adware, to potential victims (see: Linux Botnet Disguises Itself as Apache Server).
Another example is the "InterPlanetary Storm" botnet that infects Windows, Linux, Mac and Android devices, according to Barracuda Networks. It mines for cryptocurrency and can initiate distributed denial-of-service attacks (see: 'InterPlanetary Storm' Botnet Infecting Mac, Android Devices).
In the first stage of the attack, PGMiner attempts to use brute-force methods to guess passwords for the default PostgreSQL account. If the credentials are weak, the malware can gain an initial foothold.
Once the password is guessed correctly, the botnet attempts to exploit a remote code execution flaw within the database dubbed CVE-2019-9193, according to the report.
The Unit 42 researchers note that the PostgreSQL community has challenged this vulnerability assignment, and CVE-2019-9193 has since been labeled as "disputed." Neverthelesss, the researchers note that the botnet operators are using it as a means to expand their infrastructure.
"It is notable that malware actors have started to weaponize not only confirmed CVEs but also disputed ones," the Unit 42 researchers note.
Once the malware is installed, it attempts to use the curl command-line tool to transfer data to or from the server. If curl is not available on the compromised server, the botnet attempts to download the binary and install it within the compromised system.
The next stage is to connect to a command-and-control server controlled by the botnet operators over the anonymous Tor network to receive instructions and eventually download the cryptocurrency miner. The botnet also attempts to disable certain cloud security tools, check for virtual machines within the compromised server and kill off all other CPU-intensive processes.
"During our analysis, we found that PGMiner constantly reproduces itself by recursively downloading certain modules," according to Unit 42 researchers. "The command-and-control server for this malware family is constantly updating. Different modules are distributed across different command-and-control servers."
The final stage is to deploy the cyptomining malware to mine for monero. The researchers have been unable to measure how successful the PGMiner botnet has been.
"At its core, PGMiner attempts to connect to the mining pool for monero mining," the researchers note. "Because the mining pool is not active anymore, we could not recover information about the actual profit of this malware family."