One of the most widespread
Ransomware, GrandCrab, which keeps on making headlines every now and then us
being circulated via multiple kinds of attacks like exploit kit,
compromised websites, social media campaigns, and weaponized office
documents.
A new variant of GrandCrab Ransomware which is configured to attack Internet-facing MySQL servers on Windows has been detected by the researchers; the ransomware is also reported to
hold around 40% share of the ransomware market.
How does it attack?
The malicious operation begins
with the injection of a corrupted DLL file into the database server with the help of SQL database commands.
As the attack proceeds, DLL is
invoked in order to get hold of the ransomware payload which is hosted on the
malicious server.
Attacker secures a reliable
connection with the database server and then advances to upload the corrupted
helper DLL by employing set command; it is carried out in the form of hexadecimal
characters.
“Later they issued a command to
concatenate binaries to a single file and them into the server’s plug-in
directory. Also, they used several commands used to swap forward slash and
backslash characters that seemed designed to make an end-run around security
features,” researchers observed.
Referencing from the study
conducted by the Sophos researchers, "an intriguing attack this week from
a machine based in the United States. We monitored both the behavior and
network traffic generated by this honeypot and were surprised to see the
honeypot (which runs under Linux) download a Windows executable.”
“What makes this interesting is
that the IP address of this machine hosting the GrandCrab sample geolocates to
Arizona, in the desert southwest region of the United States, and the user
interface of the HFS installation on this machine is in simplified Chinese.”
Decoding the threat, they said,
“it does pose a serious risk to MySQL server admins who have poked a hole
through the firewall for port 3306 on their database server to be reachable by
the outside world,”
