PGMiner Botnet targets vulnerable PostgreSQL DBs – Manila Bulletin

According to researchers at Palo Alto Networks Unit 42, the botnet works by performing brute force attacks on Internet-accessible PostgreSQL databases.

PostgreSQL, also known as Postgres, is one of the most-used open-source relational database management systems (RDBMS) for production environments.

PGMiner randomly selects a wide range of public networks then it scans for PostgreSQL port 5432. When it finds an active PostgreSQL system the botnet starts to bruteforce the server in an attempt to compromise it.

The botnet abuses PostgreSQL “COPY from PROGRAM” function to escalate access to the server and hijack the entire Operating system.

Compromised servers are forced to mine Monero cryptocurrency.

“We believe PGMiner is the first cryptocurrency mining botnet that is delivered via PostgreSQL. It is notable that malware actors have started to weaponize not only confirmed CVEs, but also disputed ones.” Said by Researchers from Palo Alto Unit 42.

Credits: Palo Alto Unit 42

PGMiner Command and Control (C2) server is hosted on the Tor network. Security Researchers disputed the botnet’s similarities with the SystemdMiner botnet.