Researchers could access sensitive data and steal secrets by exploiting a vulnerability in GCP’s security layer, eventually running rampant in the environment. Read More
Related Posts
India targets Microsoft, Amazon tech support scammers in nationwide crackdown
India targets Microsoft, Amazon tech support scammers in nationwide crackdown
India’s Central Bureau of Investigation (CBI) raided 76 locations in a nationwide crackdown on cybercrime operations behind tech support scams and cryptocurrency fraud. […] Read More
BleepingComputer
American Radio Relay League cyberattack takes Logbook of the World offline
American Radio Relay League cyberattack takes Logbook of the World offline
The American Radio Relay League (ARRL) warns it suffered a cyberattack, which disrupted its IT systems and online operations, including email and the Logbook of the World. […] Read More
HiddenGh0st Malware Attacking MS-SQL & MySQL Servers
HiddenGh0st Malware Attacking MS-SQL & MySQL Servers
A remote control malware called Gh0st RAT, which is popular with Chinese threat actors and has publicly available source code was created by China’s C. Rufus Security Team.
ASEC (AhnLab Security Emergency Response Center) finds the Gh0st RAT variant using a Hidden rootkit to target MS-SQL servers, hiding malware presence and preventing its removal.
The HiddenGh0st is a Gh0st RAT variant with QQ Messenger data theft capabilities that have persisted since 2022 and are likely to target Chinese users.
Cybersecurity researchers at ASEC recently reported that HiddenGh0st malware actively targets and attacks poorly managed MS-SQL and MySQL servers.
Hackers Attacking MS-SQL & MySQL Servers
HiddenGh0st evades detection by packing, decrypting, and executing its PE file in memory while transmitting 0x848-sized configuration data.
Besides this, it covers the following things:-
C&C URL
Installation method
Path
File name
Rootkit activation
Deactivated options in the configuration data, like the downloader thread’s URL, could have triggered external malware downloads.
Document
FREE Demo
Deploy Advanced AI-Powered Email Security Solution
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Another option fetches the infected system’s public IP address from http[:]//www[.]taobao[.]com/help/getip[.]php when enabled, sending it to the C&C server.
The configured ‘Service’ mode in HKLMSYSTEMSelect saves installation time as ‘MarkTime’ and sets HiddenGh0st as a service, launching it with ‘-auto’ argument.
MarkTime value (Source – ASEC)
The configuration specifies dummy data size, appending 0x00800000-sized data. After that, the original file is deleted, and HiddenGh0st relaunches as a service with ‘-acsi’ argument.
Configured ‘Startup Folder’ mode in HKLMSYSTEMSelect stores installation time in ‘MarkTime,’ then HiddenGh0st copies itself using DefineDosDeviceA() API.
After that, it creates a symbolic link ‘.agmkis2,’ adds dummy data, then runs the copied malware, and deletes the original one.
Collected Data
Here below, we have mentioned all the collected data:-
0x66
Windows version information
CPU speed
Number of CPUs
Public IP address
Private IP address
Host name of the infected system
Number of webcams
Internet connection delay time
Network interface speed
Memory capacity
Local disk capacity
“Default” string (decrypted from the configuration data) or the “5750b8de793d50a8f9eaa777adbf58d4” value of the BITS registry
System boot time
“1.0” (version)
List of installed security products
Wow64 availability
Malware installation time (MarkTime)
Logged in QQ Messenger number
Whether 3 minutes has passed since the last key input
Internet connection status (MODEM, LAN, PROXY)
Security product info gathered by scanning process names for specific keywords:-
“360tray.exe”, “360sd.exe”, “kxetray.exe”, “KSafeTray.exe”, “QQPCRTP.exe” ,”HipsTray.exe” ,”BaiduSd.exe” ,”baiduSafeTray.exe” ,”KvMonXP.exe” ,”RavMonD.exe” ,”QUHLPSVC.EXE” ,”QuickHeal” ,”mssecess.exe” ,”cfp.exe”, “SPIDer.exe”, “DR.WEB”, “acs.exe”, “Outpost”, “V3Svc.exe” ,”AYAgent.aye” ,”avgwdsvc.exe” ,”AVG” ,”f-secure.exe” ,”F-Secure” ,”avp.exe” ,”Mcshield.exe”, “NOD32”, “knsdtray.exe”, “TMBMSRV.exe”, “avcenter.exe”, “ashDisp.exe” ,”rtvscan.exe” ,”remupd.exe” ,”vsserv.exe”, “BitDefender”, “PSafeSysTray.exe”, “ad-watch.exe”, “K7TSecurity.exe”, “UnThreat.exe”, “UnThreat”
HiddenGh0st extends original Gh0st RAT features, including version info “1.0” and identifier “Default” from config data. Activated keylogger saves data as “6gkIBfkS+qY=.key” in %SystemDirectory%.
Moreover, HiddenGh0st does the following things to send the extracted data to the C&C server:-
Installs Mimikatz
Extracts account credentials
Defend MS-SQL servers from brute force attacks with strong passwords, regular changes, and updated security tools like firewalls to block external threats and prevent ongoing infections.
IOCs
MD5
69cafef1e25734dea3ade462fead3cc9: HiddenGh0st
0d92b5f7a0f338472d59c5f2208475a3: Hidden x86 Rootkit (QAssist.sys)
4e34c068e764ad0ff0cb58bc4f143197: Hidden x64 Rootkit (QAssist.sys)
C&C
leifenghackyuankong.e3.luyouxia[.]net:14688
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.
The post HiddenGh0st Malware Attacking MS-SQL & MySQL Servers appeared first on Cyber Security News.
Cyber Security News