Exposed PostgreSQL instances are the target of an ongoing campaign designed to gain unauthorized access and deploy cryptocurrency miners.
Cloud security firm Wiz said the activity is a variant of an intrusion set that was first flagged by Aqua Security in August 2024 that involved the use of a malware strain dubbed PG_MEM. The campaign has been attributed to a threat actor Wiz tracks as JINX-0126.
“The threat actor has since evolved, implementing defense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload filelessly – likely to evade detection by [cloud workload protection platform] solutions that rely solely on file hash reputation,” researchers Avigayil Mechtinger, Yaara Shriki, and Gili Tikochinski said.
Wiz has also revealed that the campaign has likely claimed over 1,500 victims to date, indicating that publicly-exposed PostgreSQL instances with weak or predictable credentials are prevalent enough to become an attack target for opportunistic threat actors.
The most distinctive aspect of the campaign is the abuse of the COPY … FROM PROGRAM SQL command to execute arbitrary shell commands on the host.
The access afforded by the successful exploitation of weakly configured PostgreSQL services is used to conduct preliminary reconnaissance and drop a Base64-encoded payload, which, in reality, is a shell script that kills competing cryptocurrency miners and drops a binary named PG_CORE.
Also downloaded to the server is an obfuscated Golang binary codenamed postmaster that mimics the legitimate PostgreSQL multi-user database server. It’s designed to set up persistence on the host using a cron job, create a new role with elevated privileges, and write another binary called cpu_hu to disk.
cpu_hu, for its part, downloads the latest version of the XMRig miner from GitHub and launches it filelessly via a known Linux fileless technique referred to as memfd.
“The threat actor is assigning a unique mining worker to each victim,” Wiz said, adding it identified three different wallets linked to the threat actor. “Each wallet had approximately 550 workers. Combined, this suggests that the campaign could have leveraged over 1,500 compromised machines.”
