Security researchers have discovered new GandCrab Ransomware campaign targeting internet-facing Windows MySQL servers. The new campaign was spotted by security researchers in a controlled laboratory environment.
“A honeypot we run in a lab environment, listening on the default port used for SQL servers (3306/tcp), received an intriguing attack this week from a machine based in the United States.”
Analysing the traffic generated by Honeypot researchers discovered a Windows executable file was downloaded by Honeypot.
The attacker starts infection by uploading a small helper DLL to the server using SQL database commands. After that invoke the DLL to download the GandCrab ransomware payload from a server hosted on an IP address in Quebec, Canada.
In the first stage, attackers established a connection with the database running MySQL and after that used a set command to upload a helper DLL in the form of hexadecimal characters into memory in a variable.
The hacker concatenates the bytes into one file and drops them into the server’s plugin directory. The analysis of the DLL revealed it is used to add the xpdl3, xpdl3_deinit, and xpdl3_init functions to the database.
The hacker then drops the yongger2 table and the function xpdl3, if one already exists. At this point the attacker uses the following SQL command to create a database function (also named xpdl3) that is used to invoke the DLL: CREATE FUNCTION xpdl3 RETURNS STRING SONAME ‘cna12.dll’
In the next step, the hacker issued a command to the server to make those bytes to a single file and drops them into the server’s plugin directory.
In the final step, the database server downloads the GandCrab ransomware payload from a remote server to the C: drive in the name of isetup.exe and executes it.
The researchers also observed that the hackers used several commands to swap forward slash and backslash characters to evade security detection. Researcher spotted the attack on May 19th and said that successful execution could encrypt all the files in his system.
“What makes this interesting is that the IP address of this machine hosting the GandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese. “
The researchers pointed out that this isn’t a massive or widespread attack, anyway it represents a serious risk to MySQL server admins that exposed their installs online.