Security researchers have identified a new but unusually distributed Monero cryptominer scam campaign involving the face of a popular celebrity.
The IT security researchers at Imperva have discovered a campaign in which hackers have compromised PostgreSQL servers to install cryptocurrency mining malware.
The malware is hidden in a picture of well-known Hollywood starlet Scarlett Johansson. The crypto-miner aims to mine Monero cryptocoins.
PostgreSQL is a commonly used open source database, which researchers deem more sophisticated than MySQL. The malware was discovered in a honeypot, which was part of the StickyDB honeypot project from Imperva.
It is worth noting that a honeypot is basically a computer but in this case, it was a database server that is configured deliberately to lure hackers. It is just like bait for hackers as they regard it as an easily exploitable database but it is actually a hatch.
Imperva researchers used the database to understand common database attacks, and tools and methods used by hackers as well as to learn how they obtain access and what they do after compromising a database. They were following standard information gathering steps when they identified an unusual incident.
Attackers had downloaded an image from a legit file hosting website. The file was a picture of Scarlett Johansson. When probed further, they learned that the file contained a hidden binary payload.
Researcher left the database intentionally exposed. Considering that there are nearly 710,000 PostgreSQL servers that can be accessed easily from the internet, this is not a very reliable practice though and can allow attacks to launch brute-force attacks
- BLOCKS VIRUSES & MALWARE: Cloud-based antivirus software from Webroot provides comprehensive internet security protection for your PC or Mac without slowing you down.
- IDENTITY THEFT PREVENTION: Defends you against identity theft by protecting private information like usernames, passwords, account numbers, and eliminates all traces of online activity.
- SAFER WEB BROWSING: Total security software proactively scans the internet to block phishing, ransomware, and other malicious attempts to steal your money and personal information.
- NEVER SLOWS YOU DOWN: Scans your computer for viruses and malware in seconds, and uses almost no storage space thanks to cloud-based architecture.
- ADVANCED FEATURES: Premium internet security software includes all the features of Webroot Internet Security Plus, with extras like 25GB of online storage and a System Optimizer to keep devices running smoothly.
Furthermore, Imperva researchers observed that the attackers have used an advanced or modified Metasploit module to initiate interaction with PostgreSQL so as to execute shell commands on the server.
The modifications in the module were made to evade detection by the database audit monitoring/DAM solutions. DAM solutions are responsible for monitoring privileged operations attempts such as Io_export function calls.
Researchers noted that once the attacker gains the ability to execute system commands, a certain type of reconnaissance is performed to determine the CPU and GPU of the server for devising the perfect plan to mine cryptocurrency on a particular device. Linux dd command is used to extract, set-up and execute the binary code and all is done via SQL operations.
Lastly, a Monero mining program is installed on the device. The hackers’ wallet address shows that 312 Monero coins have been collected so far with an approximate value of $90,000. This means attackers have compromised multiple servers.
But why attackers used a celebrity’s picture to embed the malware? Researchers believe that this was done to deceive security products since the technique of appending binary code to authentic image files or documents can mutate the file and it can bypass a majority of anti-virus software.
When the picture was scanned at the VirusTotal service, just three anti-virus programs detected the file as malicious. When the embedded crypto-mining program was individually scanned, then 18 anti-virus programs detected it.