PgMiner botnet targets PostgreSQL databases to install a cryptocurrency miner.
PostgreSQL, also known as Postgres, is one of the most-used open-source relational database management systems (RDBMS) for production environments.
This week, Security researchers from Palo Alto Networks have discovered a new botnet, tracked as PgMiner, targeting PostgreSQL databases to install a cryptocurrency miner.
First, the botnet randomly picks network range (e.g., 18.xxx.xxx.xxx). By iteration in that range, searching for systems that have the PostgreSQL port (port 5432) exposed online.
Secondly, if an active PostgreSQL system is found, the botnet moves from the scanning phase to its brute-force phase.
In a brute-force attempt, run through a long list of passwords to guess the default PostgreSQL account “postgres”.
According to Unit 42, at the time of their report, the botnet only had the ability to deploy miners on Linux MIPS, ARM, and x64 platforms.
However, Hackers access the database and use the PostgreSQL COPY from PROGRAM feature to escalate their access from the database app to the underlying server and take over the entire OS.
Meanwhile, once they have a stronghold on the infected system, the PgMiner crew deploys a coin-mining application.
And mine as much Monero cryptocurrency before spotting it out.
On the other hand, operators control infected bots via a command and control (C2) server hosted on the Tor network, and that the botnet’s codebase appears to resemble the SystemdMiner botnet.
Above all, this happens if PostgreSQL database owners forgot to disable this user or have forgotten to change its passwords.