PG_MEM Malware Exploiting Misconfigured PostreSQL Instances

Type

Campaign

Actors

🐘JINX-0126

Pub. date

August 19, 2024

Initial access

Software misconfigPassword attack

Impact

Resource hijacking

Observed techniques

Password bruteforcing Misconfigured PostgreSQL abuse

Observed tools

XMRig

Targeted technologies

PostgreSQL

References

https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/

Status

Finalized

Last edited

Feb 27, 2025 2:35 PM

Researchers have discovered a new PostgreSQL malware called PG_MEM, which uses brute force attacks to access databases, hide its operations, and mine cryptocurrency. The attack involves creating a superuser role, delivering two malware payloads, and evading detection while eliminating competition. Attackers exploit weak passwords and PostgreSQL's command execution capabilities to gain persistence and run cryptominers.