Case of Attacks Targeting MySQL Servers to Install RAT Malware
AhnLab SEcurity intelligence Center (ASEC) is monitoring attacks targeting poorly managed services, and has confirmed that MySQL servers have remained a continuous target of attacks. Threat actors are believed to be targeting various externally accessible systems, leading to the infection of multiple systems in Korea with malware.
The majority of malware strains used in these attacks are Gh0stRAT variants. However, as previously covered on the AhnLab SEcurity intelligence Center (ASEC) blog, there have been cases where AsyncRAT [1] or Ddostf DDoS Bot [2] were installed. Recently, XWorm, HpLoader, and the legitimate remote control tool Zoho ManageEngine have been abused. While there are several cases where ransomware threat actors have abused Zoho Assist, it is notable that Zoho ManageEngine is being abused recently.
1. Attacks Targeting MySQL Server
As a major database server, MySQL provides the ability to manage large amounts of data in corporate and user environments. In general, MS-SQL is mainly installed for database services in Windows environments, while database services such as MySQL and PostgreSQL are used in Linux environments. However, DBMS solutions like MySQL also support Windows environments, so there are cases where it is installed in a Windows environment, although it is not as common as MS-SQL. As a result, attacks targeting MySQL servers running in Windows environments are continuously being observed.
Threat actors scan for attack targets by performing brute-force attacks or dictionary attacks, much like the attacks against MS-SQL servers, to find systems with the 3306/TCP port used by MySQL servers exposed. If they find a system that is not managing account credentials properly, they can compromise the credentials of administrator accounts, take control of the infected system, and install additional payloads.
Figure 1. Logs showing malware being installed by the MySQL server process
2. UDF Malware
A User Defined Function (UDF) is a function implemented in a DLL that provides the desired functionality to the user. Threat actors upload DLL libraries containing malicious commands to the infected system and load them into the MySQL server. This allows them to deliver malicious commands to the infected system by executing the defined commands, which is similar to the CLR SqlShell in MS-SQL servers.
Upon checking the infection logs of the actual attack target system, it was confirmed that a malicious UDF DLL was installed along with other malware in the infected system. This means that the threat actor used the UDF malware as a tool while attacking poorly managed MySQL servers.
In the simplest form, UDF malware only has the feature of executing commands received as arguments. However, there are also versions that support additional features, such as downloading files from URLs received as arguments and executing them. Furthermore, there are types of UDF DLLs that execute payloads received from the C&C server in memory like a stager. In this particular type, after connecting to the C&C server, it sends “mylogin.” However, as of now, it is not possible to establish a connection with the C&C server, so it is unknown what type of malware is being executed.
Figure 2. UDF malware strains with various functions
3. Gh0stRAT
The majority of malware found in the attack cases against MySQL servers are UDF and Gh0stRAT variants. A notable point is that the same type of malware used in attacks against MS-SQL servers, such as Gh0stCringe [3] and HiddenGh0st [4], are also found in the attack cases against MySQL servers.
The Gh0stRAT variant used in recent attack cases is characterized by including a privilege escalation tool created by internally extracting certain commands from UACMe. It also captures screens and saves them in the following path:
– Screenshot save path: %ALLUSERSPROFILE%\quickScreenShot\[Date]\[Date+Time].jpg
Figure 3. Gh0st RAT class name
4. XWorm
XWorm is a Remote Access Tool (RAT) that was first identified in 2022, and it was initially sold as Malware as a Service (MaaS). However, since a cracked version has been made public, it has been used by various threat actors. The AhnLab SEcurity intelligence Center (ASEC) blog has also covered cases of the malware being distributed disguised as an adult game [5] and other cases distributed via spam emails, such as disguising as the National Tax Service (NTS) of Korea and a famous overseas delivery service provider. [6] [7] [8]
As XWorm is a RAT malware, it supports remote control features such as file and process management, and executing commands. It also provides a variety of other features, including credential harvesting, DDoS attacks, propagation via USB, and clipboard hijacking for cryptocurrency wallet addresses.
Figure 4. Configuration data of XWorm used in the attack
5. HpLoader
In another attack, the downloader was installed after the UDF library. Although it is not possible to determine what payload was downloaded because the domain was inaccessible at the time of analysis. However, there is a past incident where the same type of malware downloaded Gh0stRAT. Since the type was first identified in May 2023, it has been continuously used. it is characterized by sending the “hp_socket” string to the C&C server during the initial communication.
Figure 5. HpLoader used in the attack
6. Zoho ManageEngine
Recently, threat actors have been exploiting commercial remote control tools to bypass security product detection. As a result, they are able to control infected systems through remote control software without having to install backdoors. For example, Zoho Assist by Zoho has been abused by ransomware and APT threat actors to control infected systems. The attack case identified this time involves the abuse of ManageEndpoint instead of Zoho Assist. The dropper installed through the MySQL server contains the Unified Endpoint Management System (UEMS) agent installation file and script. These are installed in “C:\PerfLogs\Install.bat” and “C:\PerfLogs\Server_Agent.exe,” respectively. The installation script is then used to install the agent on infected systems in silent mode.
Unlike Zoho Assist, which utilizes the Zoho cloud, the threat actor in this case appears to install UEMS products on-premises. The address of the remote control server that is checked during the UEMS agent installation process is the same domain as the address where the MySQL server downloads the dropper (“hxxp://star.zcnet[.]net:7766/Server.exe”).
Figure 6. Server address of Zoho ManageEngine UEMS Agent
In other words, the threat actor installed the agent in the infected system after building the management server. The installed agent can be controlled by the threat actor by connecting to the server.
7. Conclusion
There have been continuous cases of attacks targeting MySQL servers installed in the Windows environment. Threat actors are installing various types of malware such as UDF, Gh0stRAT, XWorm, HpLoader, and Zoho ManageEngine to take control of the infected systems.
Administrators must restrict the exposure of the MySQL port to the outside and limit access IPs using security devices unless it is absolutely necessary. They should also strengthen account and password policies and minimize the permissions of the MySQL server. Finally, MySQL and the OS must be patched to the latest version to protect against attacks using known vulnerabilities.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
