An established Chinese crime group uses a large coordinated infrastructure to target servers running database services with three different types of malware, GuardiCore security researchers say.
The group is operating worldwide and has been observed launching multiple attacks over the past several months. Each of the three malware families employed – Hex, Hanako and Taylor – is targeting different SQL servers and has its own goals, scale and target services.
According to GuardiCore, a campaign targeting a single server has started in March of this year and evolved into thousands of attacks per day during summer, hitting numerous MS SQL Server and MySQL services. The compromised machines were used for various activities, including cryptocurrency mining, distributed denial of service (DDoS), and for implanting Remote Access Trojans (RATs).
While most of the compromised machines are located in China, some were observed in Thailand, the U.S., Japan, and other countries. Database services on both Windows and Linux machines are targeted.
The three campaigns launched from this infrastructure differ mostly in target goals: Hex focuses on cryptocurrency miners and RATs; Hanako builds a DDoS botnet; and Taylor installs a keylogger and a backdoor. To date, the security firm has observed hundreds of Hex and Hanako attacks and tens of thousands of Taylor incidents each month.
“From what we’ve seen, the attackers often compromise public and private cloud deployments without chasing any specific domain. This is shown in their frequent scanning of Azure and AWS public IP ranges (which are publicly available) while looking for potential victims,” GuardiCore says.
Compromised machines aren’t used for long
To fly under the radar, the actors use each machine to attack only a small number of IPs. The security researchers discovered that victims are re-purposed to make tracing as difficult as possible: every compromised machine is used for about a month and then rotated out of use.
The infected systems are used for scanning, launching attacks, hosting malware executables and as command and control (C&C) servers. Most of the attacks feature three simple steps: scanning, attacking and initial implant.
The scan machines search for subnets and create ‘hit lists’ of IPs and credentials. The attackers, the researchers say, start from a large set of IP ranges and look for machines running services such as HTTP web servers, MS SQL Server, ElasticSearch, and more.
Based on said ‘hit lists’, the attacker machines attempt to gain an initial foothold on the servers through brute forcing MS SQL and MySQL databases. Next, they execute predefined SQL commands to gain full control of the victim machine, such as creating new users for persistency.
Parts of the campaign, such as the RATs, are hosted on separate file servers, to ensure attacks aren’t dependent on a single server. In addition to this modular approach, the infrastructure features both FTP and HFS (HTTP File Server) servers and is used to deliver additional attack tools after the initial dropper runs.
While the Tylor attacks were observed downloading the files from two domains down@mys2016@info and js@mys2016@info, both registered in March 2017, Hex and Hanako were observed using a unique file server per attack.
After brute forcing their way onto the target servers (an operation possible because many admins don’t harden the database beyond the use of a password), the attackers use xp_cmshell, a variety of stored procedures and OLE automation, to upload their first set of tools.
The droppers employed by the group usually establish persistency by creating a backdoor user and opening the Remote Desktop port. Next, malware is downloaded from a short lived FTP or HTTP server.
Later on, the attackers also stop or disable anti-virus and monitoring applications and attempt to cover tracks by deleting any unnecessary registry, file, and folder entries. The downloaded malware attempts to trick detection by using a fake MFC user interface and abnormally sized binaries containing large quantities of junk data.
Hex and Hanako, the security researchers discovered, use the same MS SQL Server attack flow and download unique attack configuration files. They create an identical scheduled task to run the same unique binary and target the same antivirus products.
Hanako gets its name after the backdoor user added to targeted databases.
Written in C++, Hex (it uses name variations of Hex.exe) can log key strokes and capture the screen and microphone to extract information from the victim machines and can download and execute additional modules.
The malware masquerades as Kugou Player, a popular Chinese music streaming service. Along with comments in Chinese found in the code, targets’ location, and configuration files showing email addresses from popular Chinese providers, this suggests that the actor behind the campaign is of Chinese origin, the researchers say.
Taylor (named after an image of Taylor Swift used to hide the keylogger) has been observed in over 80,000 attack attempts since March. As part of the attack, a backdoor related to the 2016 Mirai botnet is also downloaded onto the compromised servers, the researchers say.
Although it uses the same domain names over time and does not change IP addresses often, Taylor uses a more cautious attack script, where the hackers send most of the queries encoded in hex. They also store references to the servers in HTML pages downloaded during the attack.
“The best way to minimize your exposure to campaigns targeting databases is to control the machines that have access to the database. Routinely review the list of machines that have access to your databases, keep this list to a minimum and pay special attention to machines that are accessible directly from the internet. Every connection attempt from an IP or domain that does not belong to this list should be blocked and investigated,” GuardiCore concludes.
“There isn’t a server out there that is connected to a LAN which isn’t vulnerable to malware. If the LAN is connected to the Internet, bad actors can get in. Since infection is inevitable, it is important to watch for the telltale signs of an infection. Behaviors such as abnormal traffic to another host can be an in
dicator and this could be in the form of excessive connections (E.g. DDoS), bytes, or other metric. Even light scanning behaviors can be detected. Leveraging flow data for network traffic analytics is one of the best resources for monitoring and malware incident response,” Michael Patterson, CEO of Plixer, told SecurityWeek in an emailed comment.
Related: SQL Slammer Worm Crawls Back