Sophos researchers have observed a wave of attacks targeting Windows servers that are running MySQL databases, threat actors aim at delivering the GandCrab ransomware.
This is the first time the company sees hackers targeting Windows servers running instances MySQL databases to infect them with ransomware.
The experts discovered the attacks because they hit one of the company’s honeypots that emulates MySQL listening on the default TCP port 3306.
The attackers attempt to connect to the database server and establish that it is running a MySQL instance.
Then, the attacker uses the “set” command to upload all the bytes composing the helper DLL into memory in a variable and wrote out the contents of that variable to a database table named yongger2.
The attacker concatenates the bytes into one file and drops them into the server’s plugin directory. The analysis of the DLL revealed it is used to add the xpdl3, xpdl3_deinit, and xpdl3_init functions to the database.
The attacker then drops the yongger2 table and the function xpdl3, if one already exists. At this point the attacker uses the following SQL command to create a database function (also named xpdl3) that is used to invoke the DLL:
CREATE FUNCTION xpdl3 RETURNS STRING SONAME 'cna12.dll'
The command to invoke the xpdl3 function is:
Using this attack scheme, the attacker instructs the database server to download the GandCrab payload from the remote machine and drops it in the root of the C: drive with the name isetup.exe and executes it.
According to Sophos, at least one Chinese threat actor is currently carrying out such kind of attacks, scanning the internet for Windows servers that are running MySQL databases.
“This particular attack transpired over just a few seconds at about midday, local time, on Sunday, May 19th.” reads the analysis published by Sophos.
“But the URL where the file originated bears some scrutiny. It pointed to an open directory on a web server running server software called HFS, which is a Windows-based web server in the form of a single application.”
“What makes this interesting is that the IP address of this machine hosting the GandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese.”
The analysis of the server allowed the experts to determine the number of times the ransomware was downloaded.
The GandCrab sample that targeted the honeypot was downloaded more than 500 times. Unfortunately, the sample was not the only one, counted together, experts estimated that there have been nearly 800 downloads in the five days, as well as more than 2300 downloads of the other GandCrab sample in the open directory.
“The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file,” continues the analysis.
“Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory.
The researchers pointed out that this isn’t a massive or widespread attack, anyway it represents a serious risk to MySQL server admins that exposed their installs online.