Gh0stCringe Malware Impacts Unsecured Microsoft SQL, MySQL Servers

Cybercriminals distribute the Gh0stCringe Remote Access Trojan (RAT) on exposed machines by attacking poorly protected Microsoft SQL and MySQL database servers.

Researchers from cybersecurity company AhnLab detailed in a report issued yesterday how the operators behind GhostCringe are aiming at poorly managed database servers with inadequate account credentials and no oversight.

According to BleepingComputer, attackers hack the database servers and write the malicious’mcsql.exe’ executable to disk using the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes.

Source

Aside from Gh0stCringe, AhnLab’s notes in its report the existence of various malware samples on the analyzed servers, implying that competing cybercriminals are hacking the same servers to drop payloads for their own operations.

Since database servers with vulnerable account credentials usually become targets of various attackers and malware, many different malware infection logs were found.

Source

Gh0stCringe RAT is a dangerous malware that connects to the C&C server in order to receive custom commands or exfiltrate stolen data to the attackers. The threat actor can configure numerous settings to Gh0stCringe just like other Remote Access Trojan (RAT) malware.

As per AhnLab report, there are 7 settings, and the malware behaves differently depending on the data that has been configured:

Source

Self-copy [On/Off]: If turned

Read More: https://heimdalsecurity.com/blog/gh0stcringe-malware-impacts-unsecured-microsoft-sql-mysql-servers/