FOCUS MODE
EXTRACT IOC
Threat Research

Fileless XMRig-C3 Cryptominer Targets PostgreSQL Servers | Wiz Blog

Securonix
Wiz Threat Research has identified an ongoing campaign by the threat actor JINX-0126, targeting poorly configured and publicly exposed PostgreSQL servers. By exploiting weak login credentials, the actor gains access to deploy XMRig-C3 cryptominers, impacting over 1,500 victims. The attacker employs advanced techniques to evade detection while continuously scanning for vulnerable systems. Affected: PostgreSQL servers, cloud environments, 1,500 victims

Keypoints :

  • New variant of a malicious campaign targeting PostgreSQL servers.
  • Threat actor JINX-0126 identified by Wiz Threat Research.
  • Exploits weak and guessable login credentials to access PostgreSQL instances.
  • Deploys XMRig-C3 cryptominers on compromised systems.
  • Adopts defense evasion techniques, including unique hashes per target.
  • Potentially impacts over 1,500 victims due to widespread misconfigurations.
  • Common weak configurations found in nearly 90% of cloud environments hosting PostgreSQL.
  • Detection methods include Wiz Dynamic Scanner and Wiz Runtime Sensor.

MITRE Techniques :

  • [T1110.003] Brute Force: Password Spraying – Scanning for weakly configured services.
  • [T1190] Exploit Public-Facing Application – Exploiting default weak credentials for unauthorized access.
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Executing malicious commands using shell.
  • [T1071.001] Command and Control – Application Layer Protocol: Web Protocols – Downloading binaries from attacker-controlled server.
  • [T1105] Ingress Tool Transfer – Ability to transfer tools into the compromised environment.
  • [T1082] System Information Discovery – Running commands such as ‘whoami’ and ‘uname’ to gather system info.
  • [T1053.003] Scheduled Task/Job: Cron – Creating cron jobs for persistence.
  • [T1136] Create Account – Creating new high-privilege accounts for continued access.
  • [T1098] Account Manipulation – Weakening default admin user privileges.
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – Employing obfuscated files to evade detection.
  • [T1070.004] Indicator Removal: File Deletion – Deleting evidence of malicious activities.
  • [T1027.001] Obfuscated Files or Information: Binary Padding – Adding configuration data to binaries.
  • [T1620] Reflective Code Loading – Executing commands through reflective code loading techniques.
  • [T1496] Resource Hijacking – Utilizing compromised resources for cryptomining activities.
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – Fileless execution of miners via scripting.
  • [T1027.002] Obfuscated Files or Information: Software Packing – Using UPX to pack binaries for obfuscation.

Indicator of Compromise :

  • [Wallet] 4A5ZWpHM6BXS8YF7xNfjXA5ctDjTC3GBwS4ESBV9X2BGVJV8vkfXBeZfXG6w2hmdkpZaogCXiqU4DYPXn3TtPRAGJBLQ7N5
  • [Wallet] 47pt9WzQyugFQpSAwcGN2k8JHiMQ3fRZ3BQqmnYJtcejVq9adfiwVSWgrpmxiYTxvvWcHv5dD2iCaiBYiK4atkMSUGMXdx8
  • [Wallet] 463TBt8Rn1qXWZDpTV4ydxQcZnkJNeLv6JRKjFbzFsY3MQZaxWsUgQF4QnxNAg8MGSPsiLn9faTWqRafHnhh3QBdSLTgRHA
  • [File] 159.223.123.175:36287 (File hosting service)
  • [Pool] mine.c3pool.com:13333

Full Story: https://www.wiz.io/blog/postgresql-cryptomining

Tags: PASSWORD, UNIX, CREDENTIAL, TOOL, DEFENSE EVASION, PAYLOAD, EXPLOIT, PRIVILEGE