Windows and Linux systems have been targeted with cryptomining payloads through internet-exposed PostgreSQL instances as part of a Soco404 malware campaign, The Hacker News reports.
Threat actors achieving initial compromise have leveraged PostgreSQL's COPY ... FROM PROGRAM SQL command to download and run a Windows binary containing the cryptocurrency miner that not only works to halt Windows event log activity but also performs self-deletion, as well as the WinRing0.sys drive for privilege escalation, according to findings from Wiz researchers. On the other hand, intrusions against Linux systems involved the direct in-memory execution of a dropper shell script launching the miner while killing all other mining malware. "Rather than relying on a single method or operating system, the attacker casts a wide net, deploying whichever tool or technique is available in the environment to deliver their payload," said researchers. Such findings follow an Aqua Security report detailing the use of artificial intelligence-generated panda images to spread the novel Koske Linux malware.
