Researchers have identified that the actors behind the Gh0stCringe remote access trojan are targeting Microsoft SQL and MySQL database servers. Gh0stCringe, which is thought to be active since 2018, is a known variant of Gh0st RAT malware.

Gh0stCringe attacks databases

A recent report from AhnLab indicated that the threat actors behind Gh0stCringe, aka CirenegRAT, are targeting relational databases hosted on vulnerable devices.
  • The malware is targeting weakly configured database servers, including Microsoft SQL and MySQL servers, with easy to crack passwords.
  • It uses the genuine processes sqlserver.exe, mysqld.exe, and mysqld-nt.exe to create a new malicious executable mcsql.exe.
  • Moreover, researchers have identified multiple malware samples—such as KingMiner and Vollgar CoinMiner—on the targeted servers. 

This implies that several threat actors may be hunting the vulnerable serves to drop their payloads.

More about Gh0stCringe

Gh0stCringe is a malicious RAT that connects to a C&C server, allowing the attacker to perform various activities, depending on the configured data.
  • The malware allows the attack to connect to a URL using Internet Explorer, destroy the Master Boot Record (MBR), register run keys, and terminate the host system.
  • Additionally, it steals the database stored on the clipboard, collects Tencent-related data from the targeted machine, and performs keylogging.
  • It is capable of performing various self-control tasks (such as update, uninstall), system control (such as rebooting NIC), and additional module control.

Gh0stCringe malware supports multiple operations modes, named mod 0, 1, 2, and Windows 10 mod. Each of these mods helps communicate with the C&C server, with some slight variation in their persistence-related features.

Preventive recommendations

To stay protected from such threats, researchers recommend using difficult to guess passwords and periodic updates of these passwords to prevent brute-force attacks. Frequently patching the servers exposed to the internet and using additional security layers such as firewalls further help fend off such attacks.

Cyware Publisher