Researchers at Aqua Nautilus have uncovered a new malware that targets PostgreSQL servers to deploy cryptocurrency miners.

The cybersecurity firm has identified over 800,000 servers that are potentially vulnerable to a cryptojacking campaign targeting PostgreSQL, an open-source relational database management system used to store, manage, and retrieve data for various applications.

According to a research report shared with crypto.news, the so-called “PG_MEM” malware starts by attempting to gain access to PostgreSQL databases with a brute force attack and manages to infiltrate databases with weak passwords.

Once the malware infiltrates the system, it establishes a superuser role with administrative privileges, enabling it to take full control of the database and block access for other users. With this control, the malware executes shell commands on the host system, facilitating the download and deployment of additional malicious payloads.

According to the report, the payloads contain two files designed to allow the malware to evade detection, set up the system for cryptocurrency mining, and deploy the XMRIG mining tool used to mine Monero (XMR). 

XMRIG is often used by threat actors due to Monero’s hard-to-trace transactions. Last year, an educational platform was compromised in a cryptojacking campaign where attackers deployed a hidden script that installed XMRIG on every visitor’s system.

You might also like: Decoding cryptojacking: what is it and how can you protect yourself?

Malware hijacks PostgreSQL servers to deploy crypto miners

Analysts found that the malware removes existing cron jobs, which are scheduled tasks that run automatically at specified intervals on a server and creates new ones to ensure that the crypto miner continues to run.

This allows the malware to continue its operations even if the server is restarted or if some processes are temporarily stopped. To remain unnoticed, the malware deletes specific files and logs that could be used to track or identify its activities on the server.

The researchers warned that while the campaign’s primary goal is to deploy the cryptocurrency miner, attackers also gain control of the affected server, highlighting its severity.

Cryptojacking campaigns targeting PostgreSQL databases have been a recurring threat over the years. In 2020, Palo Alto Networks’ Unit 42 researchers uncovered a similar cryptojacking campaign involving the PgMiner botnet. In 2018, the StickyDB botnet was discovered, which also infiltrated servers to mine Monero.

Read more: $3.5m ‘cryptojacking’ case sees Nebraska man face up to 30 years in prison