Yongger2 - Guardicore - Data Center and Cloud Security

Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

Yongger2active

First seen in Guardicore Centra 2018-08-07

Last seen in Guardicore Centra 2020-12-03

This long-known attack flow dates back to as early as 2012. At its core, this is a dropper (downloader) of additional payloads, which receives its URL as a parameter. The initial breach is done over MySQL using brute-force. Once inside the database, the attacker creates a new table named yongger2 and writes the dropper’s binary payload to it. The payload is then saved to a file ‘cna12.dll’ and executed. One of the DLL’s exported functions -‘xpdl3’ – is used to drop additional payloads and create a backdoor user named piress. This technique has already been widely described. Recent publications imply that the dropper has been used to deliver the GandCrab ransomware.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Source IPs

Connect-Back Servers

Associated Files

Path	Hash	Size
/usr/local/mysql/data/mysql/..\bin\cna12.dll, /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\cna12.dll	1f86561ca8ff302df2a64e6d12ff530bb461f9a93cf9b7c074699e834f59ef44	3.50 KB
/usr/local/mysql/lib/plugin/aepfnp32.so, /usr/local/mysql/lib/plugin/avbmpb32.so, /usr/local/mysql/lib/plugin/bgutwv32.so…	681c6aa7782eb7780ea4d0745ba9dfd0c20cd363e3f2976f7e76fe13984d364d	7.94 KB
/etc/rc.local, /etc/sed0wXgLk, /etc/sed4MzVBE…	bb32aeed4f6e2a1f5c8f0046658dd243954f07671e6757e0bfd77b937394b5fc	233 bytes
/usr/local/mysql/data/c:\winshell.exe	e05527f1dc3dda6510bc0c6342a776c66febdd455f9c6cdd3bc9c1c6d4495577	132.00 KB
C:\hexClientH.exe, C:\Windows\System32\hexClientH.exe, /usr/local/mysql/data/c:\winshell.exe	373386e8003f83aaaf619b744aac9039bfe104043171c793cc54ed8a8b961a87	41.00 KB
/tmp/xxsdwaklxxk, /tmp/xxsdwakxxs8848	5e7688c429bdf4657fa835970e62074c8c438c27ae2b993deb94b124caedb089	1.85 MB
/usr/local/mysql/data/mysql/\usr\local\mysql\bin\\nusql.dll, /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\nusql.dll	96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7	2 bytes
/etc/rc.local, /etc/sedhdcAYI	cc1a30fe5d544f6aba5d28d6cdc2929b6a61fb5589d38cc8c5dcf2f5942d8708	247 bytes
/usr/local/mysql/data/lxxk	f7a19568a6a9072b67ad42b37b36a8d177f349f3b5f9731378a31123f1f9e874	3.21 MB
/usr/local/mysql/data/c:\winshell.exe	e00222d3bd40ace6a727bc4b186993b7cdcbec64ac450a9235c73590b865ada4	212.07 KB
/usr/local/mysql/data/c:\winshell.exe	ec811d6f457c0c6e2649de05cb7b2eb59284e6378cf9fdb04858f27e73a2e634	292.00 KB
/usr/local/mysql/data/c:\winshell.exe	655bb6dc836a212b104af44e9c1834ca105410b23391f67ccaf4546875160f54	48.00 KB

Attack Flow

Breached Services

MYSQL

Incident Summary

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

Malicious MySQL commands were executed: DROP FUNCTION, DUMPFILE, INSERT INTO and UPDATE

Malicious Mysql Command

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf32.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf32.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin1.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin1.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

MySQL tables were dropped: mysql.yongger2

Drop Mysql Table

MySQL tables were created: mysql.yongger2

Drop Mysql Table

Executable file /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\cna12.dll was modified 4 times

Executable File Modification

/usr/local/mysql/data/mysql/..\bin\cna12.dll was downloaded

Download File

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/cna12.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf32.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf32.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin1.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin1.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

Stop Ransomware Attacks

Rethink Your Firewall

Zero Trust

Cloud Security

Segmentation Initiatives

Compliance

Industries

Campaign Information

Name

Customized Firewall Rules for Your Attack Surface

Indicators of Compromise

Source IPs

Connect-Back Servers

Associated Files

Attack Flow

Breached Services

Tags

Incident Summary

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll

An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll

An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Malicious MySQL commands were executed: DROP FUNCTION, DUMPFILE, INSERT INTO and UPDATE

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf32.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf32.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin1.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin1.dll

An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll

An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

MySQL tables were dropped: mysql.yongger2

MySQL tables were created: mysql.yongger2

Executable file /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\cna12.dll was modified 4 times

/usr/local/mysql/data/mysql/..\bin\cna12.dll was downloaded

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/cna12.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf32.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf32.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin1.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin1.dll

An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll

An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Connection was closed due to user inactivity

For additional reading materials, visit the links below:

???? Return to Botnet Encyclopedia

© 2021 Guardicore

Coming to Black Hat? Make sure you come say hi 👋