Hackers are attacking poorly protected Microsoft SQL and MySQL servers in order to infect them with a Trojan for remote access Gh0stCringe, the specialists of the information security company AhnLab reported.
Gh0stCringe (aka CirenegRAT) is a type of Gh0st RAT malware, known since 2018 and last used by China in cyber espionage operations in 2020.
Attackers also hack servers using processes mysqld.exe , mysqld-nt.exe and sqlserver.exe write a malicious executable file to disk mcsql.exe . In addition to the Trojan, the researchers found other malicious programs on the compromised servers, which means that they were repeatedly hacked by various cybercriminals.
Gh0stCringe is a powerful Trojan with keylogger functions that receives commands from a C&C server and sends the stolen data to its operators. During the deployment process, attackers can configure it depending on what functions it should perform.
The keylogger component uses the Windows Polling method (GetAsyncKeyState API) to query the state of each key through an infinite loop. This method creates a suspiciously high load on the CPU, but in the case of poorly managed servers, this does not create any problems for hackers.
The malware also monitors keystrokes on the keyboard for the last three minutes and sends this data along with basic information about the network and OS to the C&C server. This allows attackers to steal credentials and other sensitive information entered by the user using the keyboard.