PGMiner Botnet Description
Crypto-jacking operations have been the hot new trend among cybercriminals. The end goal is almost always the same - deployment of a crypto-mining payload on the compromised machine. Where the most rapid innovations have been observed is the initial compromise vector that each crypto-mining botnet employs. Now, infosec researchers believe in having discovered the first botnet of this type that is using a disputed PostgreSQL remote code execution (RCE) vulnerability to compromise database servers. The name given to the threat is PGMiner Botnet and uses the resources of the infected victims to mine Monero coins.
In terms of potential targets, PostgreSQL ranks among the most widely-used open-source relational database management systems (RDBMS) when it comes to establishing production environments. More specifically, as of November 2020, PostgreSQL has been reported as becoming the 4th most used DBMS. It must be noted that the vulnerability exploited by the PGMiner botnet carries the tag of 'disputed.' At its core, it represents a feature allowing local or remote superusers to run arbitrary shell scripts directly on the servers. Back in 2019, the feature was recognized as a vulnerability and was assigned the designation CVE-2019-9193. However, the PostgreSQL community argued that the feature by itself is perfectly safe as long as superuser status is being granted only to trusted parties coupled with properly running access control and authentication systems.
PGMiner's Attack Chain
The infection activity begins with the exploitation of the disputed PostgreSQL vulnerability and continues with the deployment of a threatening coin mining payload. The criminals responsible for PGMiner have established several payloads, and which one to use is decided by the specific architecture of the compromised device.
The more interesting payload PGMiner leverages against x86-64 architectures. It is an ELF executable payload file that exhibits significant behavioral overlap with a previously detected SystemdMiner variant but also contains significant modifications. The coin mining threat is equipped with anti-VM functionalities as it performs a check for VBoxGuestAdditions. It also can remove cloud security monitoring tools such as Aegis. To avoid potential competition for the limited resources of the compromised system, the threat removes other rival miner scripts, processes, and crontab records as well as CPU intensive processes including ddg, system updates, etc.
Communication with the Command-and-Control (C2, C&C) servers is established through SOCKS5 proxies.