An ongoing campaign is actively exploiting exposed PostgreSQL instances with weak credentials to gain unauthorized access and deploy cryptocurrency miners, according to cloud security firm Wiz. The campaign is a variant of an intrusion set first observed in August 2024, which uses a malware strain known as PG_MEM.
Wiz attributes the attack to a threat actor tracked as JINX-0126. The campaign, according to the firm, has evolved, with the threat actor now implementing advanced evasion techniques, including deploying binaries with a unique hash for each target and executing the miner payload filelessly, making detection by cloud workload protection platforms that rely on file hash reputation more difficult.
Researchers estimate that over 1,500 victims have been compromised to date, with exposed PostgreSQL instances being an appealing target due to weak or predictable credentials.
The most notable aspect of the campaign is the abuse of the COPY FROM PROGRAM SQL command to execute arbitrary shell commands on the host. Successful exploitation of weakly configured PostgreSQL services allows the attackers to drop a Base64-encoded payload. This payload is a shell script designed to eliminate competing miners and deploy a binary called PG_CORE.
In addition to PG_CORE, an obfuscated Golang binary known as postmaster is downloaded to the server, mimicking the legitimate PostgreSQL server. This binary establishes persistence by creating a cron job, sets up a new role with elevated privileges, and writes another binary, cpu_hu, to disk. cpu_hu is responsible for downloading and executing the XMRig cryptocurrency miner filelessly using a known Linux fileless technique called memfd.
The analysis also revealed that the threat actor assigns a unique mining worker to each compromised machine, linking the attack to three separate cryptocurrency wallets. Each wallet contains around 550 workers, suggesting that the campaign could involve over 1,500 compromised systems.
