A sophisticated fileless malware campaign has compromised over 1,500 PostgreSQL servers worldwide, according to research conducted by Wiz Threat Research.
The attackers, tracked under the identifier JINX-0126, have exploited weakly configured and publicly exposed PostgreSQL instances to deploy XMRig-C3 cryptominers.
This malware operates without leaving detectable files on the infected systems, making it particularly challenging for traditional security solutions to identify and mitigate.
Technical Analysis of the Attack
The attackers leverage misconfigured PostgreSQL servers that use weak or default credentials, gaining unauthorized access and executing malicious payloads via the COPY ... FROM PROGRAM function.
Once authenticated, they perform system discovery using commands like whoami and uname, followed by deploying a dropper script encoded in Base64.
This script eliminates competing cryptominers on the system before introducing a binary named pg_core, which is executed and subsequently deleted to evade detection.
Further analysis reveals that the attackers download a binary named postmaster, designed to mimic legitimate PostgreSQL processes.
According to the Report, this binary is obfuscated using modified UPX packing and includes an encrypted configuration appended to its file structure.
The configuration contains critical details about the compromised server, such as login credentials, external IP address, and cryptominer-related data like wallet addresses and worker IDs.
The malware ensures persistence by creating cron jobs that execute itself every minute while modifying PostgreSQL configurations to block external access.
Another binary, cpu_hu, is deployed to initiate cryptomining activities. It downloads the latest version of XMRig-C3 from GitHub and executes the miner filelessly via memory-based techniques.
Both binariespostmaster and cpu_huare uniquely configured for each victim, ensuring their file hashes vary across infected systems.
Scope of Impact
The campaign’s scale was assessed by analyzing three cryptocurrency wallets linked to the attackers through mining pool statistics.
Each wallet reportedly had approximately 550 workers actively mining cryptocurrency, indicating that over 1,500 servers have been compromised globally.
The prevalence of misconfigured PostgreSQL instances in cloud environments has made them an attractive target for opportunistic threat actors.
Organizations hosting PostgreSQL servers are advised to implement robust security measures to prevent unauthorized access.
This includes enforcing strong password policies, disabling public exposure of database instances, and regularly monitoring for suspicious activity.
Security tools like Wiz Dynamic Scanner can identify vulnerable configurations within cloud environments and detect behaviors associated with fileless malware attacks.
The emergence of fileless attacks targeting critical database infrastructure underscores the importance of proactive threat detection and response capabilities in modern cloud security frameworks.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
