Hackers are deploying the Gh0stCringe remote access trojans on susceptible computers by targeting inadequately protected Microsoft SQL and MySQL database servers. Gh0stCringe, also known as CirenegRAT, is a Gh0st RAT malware version most recently used in Chinese cyber-espionage activities in 2020. However, it has been around since 2018.
Researchers from cybersecurity firm AhnLab describe how the threat actors behind GhostCringe are targeting inadequately-secured database servers with weak account credentials and little oversight in a new paper published recently. Threat actors infiltrate database servers and write the malicious ‘mcsql.exe’ executable to disk via the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes.
These attacks are comparable to the Microsoft SQL server attacks we disclosed in February, which used the Microsoft SQL xp_cmdshell command to drop Cobalt Strike beacons. In addition to Gh0stCringe, AhnLab’s study notes the existence of numerous malware samples on the investigated servers, implying that rival threat actors are infiltrating the same servers to drop payloads for their operations.
Gh0stCringe RAT is a strong malware that connects to a C2 server to accept custom commands or exfiltrate stolen data to the attackers. The malware may be modified with specific options about its operations upon distribution, as seen below:
- Self-Copy [On/Off]: When it’s switched on, it replicates itself to a particular route, which varies based on the mode.
- Mode of Execution [Mode]: Can have values of 0, 1, and 2.
- File Size Change [Size]: In Mode #2, the malware transfers itself to the path ‘%ProgramFiles%\Cccogae.exe’, and if a set value is present, it appends garbage data of the specified size to the back of the file.
- Analysis Disruption Technique [On/Off]: The PID of its parent process and the explorer.exe process are both obtained. It ends itself if it returns a value of 0.
- Keylogger [On/Off]: The keylogging thread is active if switched on.
- Rundll32 process termination [On/Off]: If enabled, the ‘taskkill /f /im rundll32.exe’ command is used to terminate the rundll32 process.
- Self-copy file property [Attr]: Sets property to read-only, hidden, and system (FILE_ATTRIBUTE_READONLY|FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM).
The keylogger, which captures user inputs from the infiltrated machine, is perhaps the most aggressive of the components mentioned above. For an endless loop, the keylogging component uses the Windows Polling method (GetAsyncKeyState API) to ask the status of each key. This otherwise reliable recording mechanism risks a very high CPU load. However, this is unlikely to pose issues for threat actors on poorly maintained systems.
The malware will also record keystrokes for the last three minutes and send them to the infection’s command and control servers along with basic system and network information. Threat actors will be able to steal login passwords and other sensitive information that logged-in users input on the device using these logged keystrokes.
