A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network
Campaign Information
Name
Yongger2
| |
|
First seen in Guardicore Centra |
2018-08-07 |
|
Last seen in Guardicore Centra |
2020-12-03 |
|
This long-known attack flow dates back to as early as 2012. At its core, this is a dropper (downloader) of additional payloads, which receives its URL as a parameter. The initial breach is done over MySQL using brute-force. Once inside the database, the attacker creates a new table named yongger2 and writes the dropper’s binary payload to it. The payload is then saved to a file ‘cna12.dll’ and executed. One of the DLL’s exported functions -‘xpdl3’ – is used to drop additional payloads and create a backdoor user named piress. This technique has already been widely described. Recent publications imply that the dropper has been used to deliver the GandCrab ransomware. |
|
Customized Firewall Rules for Your Attack Surface
Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.
Indicators of Compromise
Source IPs
Associated Files
| Path | Hash | Size |
|---|---|---|
|
/usr/local/mysql/data/mysql/..\bin\cna12.dll, /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\cna12.dll |
1f86561ca8ff302df2a64e6d12ff530bb461f9a93cf9b7c074699e834f59ef44 |
3.50 KB |
|
/usr/local/mysql/lib/plugin/aepfnp32.so, /usr/local/mysql/lib/plugin/avbmpb32.so, /usr/local/mysql/lib/plugin/bgutwv32.so… |
681c6aa7782eb7780ea4d0745ba9dfd0c20cd363e3f2976f7e76fe13984d364d |
7.94 KB |
|
/etc/rc.local, /etc/sed0wXgLk, /etc/sed4MzVBE… |
bb32aeed4f6e2a1f5c8f0046658dd243954f07671e6757e0bfd77b937394b5fc |
233 bytes |
|
/usr/local/mysql/data/c:\winshell.exe |
e05527f1dc3dda6510bc0c6342a776c66febdd455f9c6cdd3bc9c1c6d4495577 |
132.00 KB |
|
C:\hexClientH.exe, C:\Windows\System32\hexClientH.exe, /usr/local/mysql/data/c:\winshell.exe |
373386e8003f83aaaf619b744aac9039bfe104043171c793cc54ed8a8b961a87 |
41.00 KB |
|
/tmp/xxsdwaklxxk, /tmp/xxsdwakxxs8848 |
5e7688c429bdf4657fa835970e62074c8c438c27ae2b993deb94b124caedb089 |
1.85 MB |
|
/usr/local/mysql/data/mysql/\usr\local\mysql\bin\\nusql.dll, /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\nusql.dll |
96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 |
2 bytes |
|
/etc/rc.local, /etc/sedhdcAYI |
cc1a30fe5d544f6aba5d28d6cdc2929b6a61fb5589d38cc8c5dcf2f5942d8708 |
247 bytes |
|
/usr/local/mysql/data/lxxk |
f7a19568a6a9072b67ad42b37b36a8d177f349f3b5f9731378a31123f1f9e874 |
3.21 MB |
|
/usr/local/mysql/data/c:\winshell.exe |
e00222d3bd40ace6a727bc4b186993b7cdcbec64ac450a9235c73590b865ada4 |
212.07 KB |
|
/usr/local/mysql/data/c:\winshell.exe |
ec811d6f457c0c6e2649de05cb7b2eb59284e6378cf9fdb04858f27e73a2e634 |
292.00 KB |
|
/usr/local/mysql/data/c:\winshell.exe |
655bb6dc836a212b104af44e9c1834ca105410b23391f67ccaf4546875160f54 |
48.00 KB |
Attack Flow
|
Breached Services |
MYSQL |
|
Tags |
Malicious Mysql Command Create Mysql Table Download File MYSQL 100+ Sql Commands Executable File Modification Create Mysql Function Drop Mysql Table |
Incident Summary
|
An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
Malicious MySQL commands were executed: DROP FUNCTION, DUMPFILE, INSERT INTO and UPDATE |
Malicious Mysql Command |
|
An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf32.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf32.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin1.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin1.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
MySQL tables were dropped: mysql.yongger2 |
Drop Mysql Table |
|
MySQL tables were created: mysql.yongger2 |
Create Mysql Table |
|
Executable file /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\cna12.dll was modified 4 times |
Executable File Modification |
|
/usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\cna12.dll was downloaded |
Download File |
|
Executable file /usr/local/mysql/data/mysql/..\bin\cna12.dll was modified 4 times |
Executable File Modification |
|
/usr/local/mysql/data/mysql/..\bin\cna12.dll was downloaded |
Download File |
|
An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/cna12.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf32.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf32.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin1.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin1.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll |
Create Mysql Function |
|
Connection was closed due to user inactivity |