November 16, 2023 at 03:16PM
Researchers at AhnLab Security Emergency Response Center (ASEC) have discovered a new campaign targeting MySQL servers with the ‘Ddostf’ malware botnet. The attackers exploit vulnerabilities or weak credentials to gain access to the servers and use user-defined functions (UDFs) to execute commands. The primary payload is the Ddostf bot client, which can facilitate DDoS attacks and potentially enable other malware installation and data exfiltration. Ddostf is a Chinese-origin malware botnet that targets both Linux and Windows systems. ASEC recommends applying updates and using strong passwords to protect against these attacks.
Key Takeaways:
1. MySQL servers are being targeted by the Ddostf malware botnet, which aims to enslave them for a DDoS-as-a-Service platform rented to other cybercriminals.
2. The attackers exploit vulnerabilities in unpatched MySQL environments or use brute-force attacks to breach the servers.
3. The threat actors scan the internet for exposed MySQL servers and attempt to breach them by brute-forcing administrator credentials.
4. On Windows MySQL servers, the attackers use user-defined functions (UDFs) to execute commands on breached systems.
5. The attackers create their own UDFs and register them with the database server as a DLL file (amd.dll) with various malicious functions.
6. The primary payload of this attack is the Ddostf DDoS bot, but other malware installations, data exfiltration, and creation of backdoors are also possible.
7. Ddostf is a Chinese-origin malware botnet that targets both Linux and Windows systems.
8. It establishes persistence by registering itself as a system service on Windows and communicates with a command and control (C2) server for instructions.
9. Ddostf profiles the host system and sends data to its C2, which can then issue DDoS attack commands or download new payloads.
10. Ddostf’s ability to connect to new C2 addresses gives it resilience against takedowns.
11. To protect against these attacks, MySQL admins should apply the latest updates and use long, unique passwords for admin accounts.