FlagThis - #cryptomining

An ongoing cryptomining campaign, attributed to the threat actor JINX-0126, has successfully compromised over 1,500 internet-exposed PostgreSQL servers. Attackers are exploiting instances with weak credentials, allowing them to deploy XMRig-C3 cryptocurrency miners using fileless techniques. This campaign is an evolution of the PG_MEM malware activity, initially detected in August, and demonstrates sophisticated evasion tactics. These include deploying binaries with unique hashes per target and executing the miner payload filelessly.

Cloud security firm Wiz, has identified that attackers are abusing the "COPY ... FROM PROGRAM SQL" command to execute arbitrary shell commands. Once authenticated, attackers conduct reconnaissance, deploy a shell script to eliminate competing cryptominers, and deliver the pg_core binary. A Golang binary called "postmaster" is also downloaded, enabling persistence, privilege escalation, and the execution of a new XMRig cryptominer variant, highlighting the risks of weak PostgreSQL configurations in cloud environments. This campaign could have leveraged over 1,500 compromised machines.


References :

• gbhackers.com: A sophisticated malware campaign has compromised over 1,500 PostgreSQL servers, leveraging fileless techniques to deploy cryptomining payloads.
• The Hacker News: Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign
• www.scworld.com: More than 1,500 internet-exposed PostgreSQL instances have been compromised with cryptocurrency mining malware as part of an ongoing JINX-0126 attack campaign, which is an evolution of PG_MEM malware activity initially detected by Aqua Security in August, The Hacker News reports.
• Wiz Blog | RSS feed: Cloud environments at risk: Attackers target weak PostgreSQL instances with fileless cryptominer payloads.
• securityonline.info: PostgreSQL Servers Hacked: 1,500+ Cloud Systems Mining Crypto via CPU_HU
• Security Risk Advisors: CPU_HU Fileless Cryptominer Targets PostgreSQL Servers, Affects Over 1,500 Victims
• Cyber Security News: Fileless Malware Infects 1,500+ PostgreSQL Servers
• Cyber Security News: 1,500+ PostgreSQL Servers Compromised With Fileless Malware Attack
• The Hacker News: Report attributes the campaign to JINX-0126 and involves the use of XMRig-C3 cryptominers.

Classification:

• HashTags: #cryptomining #PostgreSQL #filelessmalware
• Company: Wiz
• Target: PostgreSQL servers
• Attacker: JINX-0126
• Product: PostgreSQL
• Feature: Fileless Cryptomining
• Malware: XMRig-C3
• Type: Malware
• Severity: Major

A global attack campaign named StaryDobry has been discovered, utilizing trojanized game installers to deploy the XMRig cryptocurrency miner on compromised Windows systems. Attackers uploaded poisoned installers for popular games such as BeamNG.drive, Garry's Mod, and Dyson Sphere Program to torrent sites, luring users into downloading them. Once executed, these installers initiate a complex infection chain, ultimately leading to the installation of the XMRig miner. The campaign, detected by Kaspersky on December 31, 2024, lasted for a month and has primarily targeted individual users and businesses.

Researchers have identified that the attack chain employs several evasion techniques, including anti-debugging checks and geolocation verification. The malware gathers a fingerprint of the machine, decrypts an executable, and modifies Windows Shell Extension Thumbnail Handler functionality. The campaign focused on gaming PCs with 8+ core CPUs to maximize mining efficiency. While the perpetrators remain unknown, the presence of Russian language strings suggests the involvement of Russian-speaking actors. The most affected countries included Russia, Brazil, Germany, Belarus, and Kazakhstan.


References :

• securityonline.info: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign
• The Hacker News: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack
• www.scworld.com: Global XMRig attack campaign involves trojanized game installers
• Talkback Resources: Trojanized Game Installers Deploy Cryptocurrency Miner in Large-Scale StaryDobry Attack [net] [sys] [mal]
• Talkback Resources: Cracked Games, Cryptojacked PCs: The StaryDobry Campaign [net] [mal]
• Talkback Resources: StaryDobry campaign targets gamers with XMRig miner [mal]
• gbhackers.com: A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of popular games.
• BleepingComputer: A large-scale malware campaign dubbed StaryDobry has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
• securityonline.info: Cybercriminals launched a mass infection campaign, dubbed StaryDobry, leveraging the holiday season’s increased torrent traffic The
• www.bleepingcomputer.com: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.
• Anonymous ???????? :af:: A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry's Mod, BeamNG.drive, and Dyson Sphere Program.

Classification:

• HashTags: #Malware #Cryptomining #Trojan
• Company: Cracked game users
• Target: Gamers
• Attacker: Kaspersky
• Product: Games
• Feature: cryptocurrency mining
• Malware: XMRig
• Type: Malware
• Severity: Medium

The OUTLAW Linux botnet is rapidly expanding by targeting vulnerable SSH servers through brute-force attacks. Cybersecurity researchers have identified the botnet, also known as Dota, as an "auto-propagating" cryptocurrency mining operation that uses simple yet effective techniques to maintain persistence on compromised systems. This includes exploiting weak credentials, manipulating SSH keys, and leveraging cron jobs to ensure the malware restarts after reboots or termination attempts.

The botnet uses a multi-stage infection process, beginning with a dropper shell script that downloads and unpacks a malicious archive file. This file launches a modified XMRig miner for cryptojacking and installs components in hidden directories to avoid detection. The botnet also uses a custom SSH brute-forcer called BLITZ to scan for and infect other vulnerable systems on the network, perpetuating its spread in a worm-like fashion. Despite its basic techniques, OUTLAW has proven to be a persistent and effective threat.


References :

• securityonline.info: Outlaw Linux Malware: Persistent Threat Leveraging Simplicity
• www.scworld.com: Additional details on Outlaw Linux cryptomining botnet emerge
• Cyber Security News: Attackers aim to find zero-days in the PAN-OS gateways they can exploit.
• The Hacker News: Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials.

Classification:

• HashTags: #Linux #Botnet #Cryptomining
• Company: Elastic
• Target: Vulnerable SSH Servers
• Attacker: Outlaw
• Product: SSH
• Feature: SSH Brute Force
• Malware: Dota
• Type: Malware
• Severity: Medium