A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network
Campaign Information
Name Yongger2 | |
First seen in Guardicore Centra | 2018-08-07 |
Last seen in Guardicore Centra | 2020-06-17 |
This long-known attack flow dates back to as early as 2012. At its core, this is a dropper (downloader) of additional payloads, which receives its URL as a parameter. The initial breach is done over MySQL using brute-force. Once inside the database, the attacker creates a new table named yongger2 and writes the dropper’s binary payload to it. The payload is then saved to a file ‘cna12.dll’ and executed. One of the DLL’s exported functions -‘xpdl3’ – is used to drop additional payloads and create a backdoor user named piress. This technique has already been widely described. Recent publications imply that the dropper has been used to deliver the GandCrab ransomware. | |
Customized Firewall Rules for Your Attack Surface
Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.
Indicators of Compromise
Source IPs
Associated Files
| Path | Hash | Size |
|---|---|---|
/usr/local/mysql/data/mysql/..\bin\cna12.dll, /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\cna12.dll | 1f86561ca8ff302df2a64e6d12ff530bb461f9a93cf9b7c074699e834f59ef44 | 3.50 KB |
/usr/local/mysql/lib/plugin/aepfnp32.so, /usr/local/mysql/lib/plugin/avbmpb32.so, /usr/local/mysql/lib/plugin/bgutwv32.so… | 681c6aa7782eb7780ea4d0745ba9dfd0c20cd363e3f2976f7e76fe13984d364d | 7.94 KB |
/etc/rc.local, /etc/sed0wXgLk, /etc/sed4MzVBE… | bb32aeed4f6e2a1f5c8f0046658dd243954f07671e6757e0bfd77b937394b5fc | 233 bytes |
/usr/local/mysql/data/c:\winshell.exe | e05527f1dc3dda6510bc0c6342a776c66febdd455f9c6cdd3bc9c1c6d4495577 | 132.00 KB |
C:\hexClientH.exe, C:\Windows\System32\hexClientH.exe, /usr/local/mysql/data/c:\winshell.exe | 373386e8003f83aaaf619b744aac9039bfe104043171c793cc54ed8a8b961a87 | 41.00 KB |
/tmp/xxsdwaklxxk, /tmp/xxsdwakxxs8848 | 5e7688c429bdf4657fa835970e62074c8c438c27ae2b993deb94b124caedb089 | 1.85 MB |
/usr/local/mysql/data/mysql/\usr\local\mysql\bin\\nusql.dll, /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\nusql.dll | 96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7 | 2 bytes |
/etc/rc.local, /etc/sedhdcAYI | cc1a30fe5d544f6aba5d28d6cdc2929b6a61fb5589d38cc8c5dcf2f5942d8708 | 247 bytes |
/usr/local/mysql/data/lxxk | f7a19568a6a9072b67ad42b37b36a8d177f349f3b5f9731378a31123f1f9e874 | 3.21 MB |
/usr/local/mysql/data/c:\winshell.exe | e00222d3bd40ace6a727bc4b186993b7cdcbec64ac450a9235c73590b865ada4 | 212.07 KB |
/usr/local/mysql/data/c:\winshell.exe | ec811d6f457c0c6e2649de05cb7b2eb59284e6378cf9fdb04858f27e73a2e634 | 292.00 KB |
/usr/local/mysql/data/c:\winshell.exe | 655bb6dc836a212b104af44e9c1834ca105410b23391f67ccaf4546875160f54 | 48.00 KB |
Attack Flow
Breached Services | MYSQL |
Tags | Create Mysql Function MYSQL 100+ Sql Commands Download and Allow Execution Drop Mysql Table Malicious Mysql Command Download File Create Mysql Table Download and Execute Outgoing Connection |
Incident Summary
MySQL tables were dropped: mysql.yongger2 | Drop Mysql Table |
MySQL tables were created: mysql.iyitnp32, mysql.jlzhex, mysql.ofdjyk, mysql.ynizhb32 and mysql.yongger2 | Create Mysql Table |
Malicious MySQL commands were executed: DROP FUNCTION, DUMPFILE, INSERT INTO and UPDATE | Malicious Mysql Command |
/usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\cna12.dll was downloaded | Download File |
/usr/local/mysql/data/mysql/..\bin\cna12.dll was downloaded | Download File |
An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/cna12.dll 7 times | Create Mysql Function |
/usr/local/mysql/data/c:\tan.exe was downloaded | Download File |
/usr/local/mysql/data/c:\tan1.exe was downloaded | Download File |
/usr/local/mysql/data/c:\exp.exe was downloaded | Download File |
/usr/local/mysql/data/c:\exp1.exe was downloaded | Download File |
/usr/local/mysql/data/c:\exp2.exe was downloaded | Download File |
An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf32.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf32.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin1.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin1.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll | Create Mysql Function |
//usr/local/mysql/lib/plugin/jlzhex was downloaded | Download File |
//usr/local/mysql/lib/plugin/ynizhb32.so was downloaded | Download File |
MySQL user-defined function (UDF) lib_mysqludf_sys_info implemented in /usr/local/mysql/lib/plugin/ynizhb32.so was created | Create Mysql Function |
The file /usr/local/mysql/lib/plugin/ynizhb32.so was downloaded and loaded by /usr/local/mysql/bin/mysqld 2 times | Download and Execute |
MySQL user-defined function (UDF) sys_get implemented in /usr/local/mysql/lib/plugin/ynizhb32.so was created | Create Mysql Function |
MySQL user-defined function (UDF) sys_set implemented in /usr/local/mysql/lib/plugin/ynizhb32.so was created | Create Mysql Function |
MySQL user-defined function (UDF) sys_exec implemented in /usr/local/mysql/lib/plugin/ynizhb32.so was created | Create Mysql Function |
MySQL user-defined function (UDF) sys_eval implemented in /usr/local/mysql/lib/plugin/ynizhb32.so was created | Create Mysql Function |
The file /usr/local/mysql/lib/plugin/jlzhex was downloaded and granted execution privileges | Download and Allow Execution |
Process /usr/bin/wget generated outgoing network traffic to: 119.188.242.201:6688 2 times | Outgoing Connection |
An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf32.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf32.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin1.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin1.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll | Create Mysql Function |
An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll | Create Mysql Function |
//usr/local/mysql/lib/plugin/ofdjyk was downloaded | Download File |
//usr/local/mysql/lib/plugin/iyitnp32.so was downloaded | Download File |
MySQL user-defined function (UDF) lib_mysqludf_sys_info implemented in /usr/local/mysql/lib/plugin/iyitnp32.so was created | Create Mysql Function |
The file /usr/local/mysql/lib/plugin/iyitnp32.so was downloaded and loaded by /usr/local/mysql/bin/mysqld 2 times | Download and Execute |
MySQL user-defined function (UDF) sys_get implemented in /usr/local/mysql/lib/plugin/iyitnp32.so was created | Create Mysql Function |
MySQL user-defined function (UDF) sys_set implemented in /usr/local/mysql/lib/plugin/iyitnp32.so was created | Create Mysql Function |
MySQL user-defined function (UDF) sys_exec implemented in /usr/local/mysql/lib/plugin/iyitnp32.so was created | Create Mysql Function |
MySQL user-defined function (UDF) sys_eval implemented in /usr/local/mysql/lib/plugin/iyitnp32.so was created | Create Mysql Function |
The file /usr/local/mysql/lib/plugin/ofdjyk was downloaded and granted execution privileges | Download and Allow Execution |
Connection was closed due to timeout |