Full Report
Cloud environments at risk: Attackers target weak PostgreSQL instances with fileless cryptominer payloads.
Analysis Summary
# Tool/Technique: XMRig-C3 (Associated Campaign)
## Overview
A malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers, leveraging weak credentials to gain initial access and deploy XMRig-C3 cryptominers for resource hijacking (cryptojacking). The threat actor uses fileless execution techniques and deploys binaries with unique hashes per victim to evade security solutions.
## Technical Details
- Type: Malware Deployment (Cryptominer variant built on XMRig-C3) / Campaign
- Platform: Linux (Targeting PostgreSQL servers)
- Capabilities: Initial access via exploitation, credential harvesting (implied via weak login abuse), cryptomining, defense evasion (fileless execution, unique binaries), persistence via cron jobs and user creation.
- First Seen: Campaign continues an ongoing trend documented previously, but this variant shows evolution.
## MITRE ATT&CK Mapping
- Initial Access
- T1190 - Exploit Public-Facing Application
- Execution
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- Defense Evasion
- T1070.004 - Indicator Removal: File Deletion
- T1036.005 - Masquerading: Match Legitimate Name or Location (using 'postmaster' binary name)
- T1027.002 - Obfuscated Files or Information: Software Packing (UPX)
- T1027.001 - Obfuscated Files or Information: Binary Padding (Configuration appended to binary)
- T1620 - Reflective Code Loading
- Discovery
- T1082 - System Information Discovery
- Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (for C2/pool communication)
- T1105 - Ingress Tool Transfer
- Persistence
- T1053.003 - Scheduled Task/Job: Cron
- T1098 - Account Manipulation
- T1136 - Create Account
- Impact
- T1496 - Resource Hijacking (Cryptomining)
- Credential Access
- T1110.003 - Brute Force: Password Spraying (Implied by abusing weak credentials)
## Functionality
### Core Capabilities
- **Initial Access:** Exploits poorly configured PostgreSQL servers using weak or guessable credentials.
- **Payload Delivery:** Uses the PostgreSQL `COPY ... FROM PROGRAM` function to execute initial dropper scripts.
- **Discovery:** Executes basic system checks (`whoami`, `uname`).
- **Cryptomining:** Deploys the XMRig-C3 miner targeting specific wallets/workers.
### Advanced Features
- **Defense Evasion:** Executes the miner payload filelessly and deploys binaries with a unique hash per target.
- **Obfuscation/Masquerading:** The main component, named `postmaster`, is a packed Go binary (using modified UPX) designed to mimic the legitimate PostgreSQL server process.
- **Configuration Storage:** Stores configuration (including C2 details and wallet address) encrypted with AES, appended to the end of the `postmaster` binary.
- **Persistence Mechanism:** Creates a cron job to run every minute and adds a new, privileged superuser role (`psql_sys`) to ensure continued access even if original credentials change.
- **System Hardening Countermeasures:** Attempts to weaken the default 'admin' user privileges.
## Indicators of Compromise
- File Hashes:
- **XMRig-C3 miner:** `0b907eee9a85d39f8f0d7c503cc1f84a71c4de10`
- **pg_core:** `85198288e2ff1dad718cd84876a0b0d3173a641e`
- **Postmaster (pre-trailer addition):** `e6578bb7b88bf08a35ba4b0f2dd75af32e8fe65d33d329ca5beaf8a8ce29d7e1`
- File Names: `pg_core`, `postmaster`
- Registry Keys: N/A (Linux focus)
- Network Indicators:
- **File hosting service:** `159.223.123.175` (Port `36287`)
- **Pool:** `mine.c3pool[dot]com:13333` (Defanged: `mine[dot]c3pool[dot]com:13333`)
- Behavioral Indicators:
- Execution of binaries referencing decrypted AES key (`7C6643CC24859542CE37615341E7712E82B4167528688877FE7C14648909DCD5`).
- PostgreSQL service spawning processes mimicking `postgres: logical replication launcher`.
- Creation of cron jobs persisting execution.
- Modification of PostgreSQL configuration files (`pg_hba`) and user roles.
## Associated Threat Actors
Opportunistic threat actors exploiting common cloud misconfigurations. (No specific named APT group mentioned, but the activity leverages known cryptomining infrastructure).
## Detection Methods
- Signature-based detection: Use provided file hashes against endpoint security tools.
- Behavioral detection: Monitor for process execution from unusual locations, especially those masquerading as PostgreSQL processes, and suspicious cron job additions. Look for the attempted abuse of the `COPY ... FROM PROGRAM` SQL function.
- YARA rules: Potential for developing rules based on the distinct AES key or UPX packing signatures in unique binaries.
## Mitigation Strategies
- Prevention: Immediately address misconfigurations by disabling public exposure of PostgreSQL instances unless strictly necessary. Employ strong, unique credentials for all database services.
- Hardening recommendations: Disable or severely restrict the PostgreSQL `COPY ... FROM PROGRAM` functionality if not required. Implement strong network segmentation to prevent external scanning and exploitation. Regularly audit system cron jobs and created database roles.
## Related Tools/Techniques
- XMRig (Base cryptominer foundation)
- Exploit for PostgreSQL RCE via `COPY FROM PROGRAM`
- Other cryptojacking malware targeting cloud infrastructure.