A new trio of malware with remote access trojan (RAT), cryptocurrency mining, information-stealing, backdoor and botnet capabilities has been observed targeting Microsoft SQL and MySQL servers. Attacks have been seen mainly in China on Amazon Web Services (AWS) and Azure IP ranges.
Hex, Hanako and Taylor all perform different functions but are deployed together to maximise their impact. Hex uses file servers to install keyloggers and cryptocurrency miners as well as capture software for file images.
Hanako attempts to create a backdoor on the system before enrolling it in a botnet for use in performing distributed denial-of-service (DDoS) attacks. The nature of the enrolled devices would mean any DDoS attacks would be quite severe.
Taylor also creates a backdoor but is used to maintain persistence on a system; terminating processes and deleting antivirus software before downloading a keylogger. This keylogger is hidden within an image of the singer Taylor Swift, hence its name.
Compromised systems are then used for deployment and scanning for potential devices through a number of services, including HTTP and ElasticSearch, alongside SQL services. Once identified, attackers will attempt to brute-force the new devices before executing a series of SQL commands to escalate their privileges.
To prevent compromise of your systems, researchers advised administrators to always follow the databases hardening guides (provided by both MySQL and Microsoft), rather than just having a strong password for your databases.
Affected Platforms : SQL servers (Microsoft & Linux)