Chinese crime group targets database servers for mining cryptocurrency

Pierluigi Paganini December 21, 2017


Security researchers discovered multiple hacking campaigns conducted by a Chinese criminal gang targeting database servers.

The researchers from the security firm GuardiCore Labs Security have discovered multiple hacking campaigns conducted by a Chinese criminal gang targeting database servers. The attackers targeted systems worldwide for mining cryptocurrencies, exfiltrating sensitive data and building a DDoS botnet.

The experts observed thousands of cyber attacks in recent months and identified at least three attack scheme, Hex, Hanako, and Taylor, targeting MS SQL and MySQL servers running on both Windows and Linux machines.

“In the last few months GuardiCore Labs has been investigating multiple attack campaigns conducted by an established Chinese crime group that operates worldwide.” reads the analysis published by Guardicore.

“The campaigns are launched from a large coordinated infrastructure and are mostly targeting servers running database services. By now we were able to identify three attack variants – Hex, Hanako and Taylor – targeting different SQL Servers, each with its own goals, scale and target services.”

Chinese hackers database servers

The experts pointed out that the three malware are used for different purposes by the criminal group, below are described the attack scenarios:

  • Hex installs cryptocurrency miners and remote access trojans (RATs) on infected machines;
  • Taylor installs a keylogger and a backdoor;
  • Hanako is used to infect systems and recruit them in a DDoS botnet;

The experts observed threat actors mainly launching Taylor attacks, they recorded hundreds of Hex and Hanako attacks and tens of thousands of Taylor attacks each month.

The vast majority of compromised machines are mostly based in China, other infections were discovered in Thailand, the United States, Japan, and others.

Similarly to the Bondnet botnet, victims are re-purposed to help the attackers, making impossible analyzing the source of the attacks.

The researchers noticed that attackers used nearly all the machine for one month before rotate out of use, evidence they collected suggests that the attack group is based in China. The code includes comments in Chinese, the Trojan RAT disguises itself as a popular Chinese program and configuration files list email addresses from popular Chinese providers.

“Determining the scope of the campaign was quite a challenge. The group has shown an ability to generate over 300 unique binaries per each attack and to constantly rotate their attacking machines and domains, while manipulating thousands of victims as part of their attack infrastructure.” continues the analysis.

The hackers powered brute force attacks to gain unauthorized access to the targeted database servers, then run a series of predefined SQL commands to gain persistence and evade audit logs.

The hackers used a network of already compromised systems to power the brute force attacks against the database servers and deliver the malware, in this way they prevented takedown of their infrastructure.

All the malware variants create backdoor users in the database and open the Remote Desktop port, with this technique the attackers can remotely download and install their payloads (i.e. Cryptocurrency miner, Remote Access Trojan (RAT) or a DDoS malware).

“Later in the attack, the attacker stops or disables a variety of anti-virus and monitoring applications by running shell commands.” continues the post.

“The anti-virus targeted is a mixture of well known products such as Avira and Panda Security and niche software such as Quick Heal and BullGuard. As a final step, the attackers attempt to cover their tracks by deleting any unnecessary registry, file and folder entries using batch files and VB scripts.” the researchers wrote in their blog post published Tuesday.”

The attackers use to cover their tracks deleting any unnecessary Windows registry, file, and folder entry using pre-defined batch files and Visual Basic scripts.

Administrators should check for the existence of the following usernames in their database or systems in order to identify if they have been compromised by the Chinese criminal hackers.

Further info is available in the report, including Indicators of Compromise (IoCs).
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – database servers, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment