Security researchers from Sophos Labs spotted a new campaign aimed at internet-facing MySQL servers on Windows with the goal of delivering GandCrab ransomware. A wave of attacks was detected through one of the company’s honeypots that emulates MySQL listening on the default TCP port 3306.
According to Andrew Brandt, Principal Researcher at Sophos, the first step of the attack involves the attacker connecting to the database server and establishing that it was running MySQL. Then the treat actor injects a small malicious DLL file to the database server by using SQL database commands and invokes the DLL to retrieve the ransomware payload hosted on the attacker’s server.
Then, the attacker uses the “set” command to upload all the bytes that make up the helper DLL, in the form of a long string of hexadecimal characters, into memory in a variable.
The Sophos researchers tracked the attacks back to the remote server with an open directory running server software called HFS, which exposed the information about the number of downloads for any file hosted on the server.
“The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file. Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory,” Sophos observed.
While this campaign does not appear to be massive, it poses a serious risk to MySQL server admins who “have poked a hole through the firewall for port 3306 on their database server to be reachable by the outside world,” concluded Brandt. He did not reveal if the attacks were successful.