New Cryptojacking Malware Targets Over 800,000 PostgreSQL Servers

Researchers at Aqua Nautilus have discovered a new cryptojacking malware, "PG_MEM," that poses a threat to over 800,000 PostgreSQL servers. The malware infiltrates vulnerable databases through brute force attacks on weak passwords, then establishes administrative control by creating a superuser role, effectively taking over the system. Once in control, the malware deploys the XMRIG tool to mine Monero, a privacy-focused cryptocurrency favored by threat actors for its hard-to-trace transactions.

To ensure its mining operations continue, the malware modifies the server’s cron jobs—automated tasks that run at scheduled intervals—creating new tasks that allow it to persist even after server restarts or interruptions. The malware also erases specific logs and files to remain hidden from detection. Although the primary objective is cryptocurrency mining, the attackers gain full control over the compromised servers, which elevates the severity of the threat significantly.

Cryptojacking campaigns targeting PostgreSQL databases are not new. In recent years, similar attacks have been uncovered, such as the PgMiner botnet in 2020 and the StickyDB botnet in 2018, both of which exploited vulnerable servers to mine Monero. This ongoing trend highlights the need for organizations using PostgreSQL to bolster their security measures to prevent such threats.

Related Articles