Botnet Encyclopedia

A Knowledge Base of Attack Campaigns captured by Guardicore Global Sensor Network

Campaign Information

Name

Yongger2
active

First seen in Guardicore Centra

2018-08-07

Last seen in Guardicore Centra

2020-12-03

This long-known attack flow dates back to as early as 2012. At its core, this is a dropper (downloader) of additional payloads, which receives its URL as a parameter. The initial breach is done over MySQL using brute-force. Once inside the database, the attacker creates a new table named yongger2 and writes the dropper’s binary payload to it. The payload is then saved to a file ‘cna12.dll’ and executed. One of the DLL’s exported functions -‘xpdl3’ – is used to drop additional payloads and create a backdoor user named piress. This technique has already been widely described. Recent publications imply that the dropper has been used to deliver the GandCrab ransomware.

Customized Firewall Rules for Your Attack Surface

Deploy our threat intelligence sensors in your organization’s data center
and get rules tailored to the attacks that have tried to compromise your specific environment.

Indicators of Compromise

Associated Files

PathHashSize

/usr/local/mysql/data/mysql/..\bin\cna12.dll, /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\cna12.dll

1f86561ca8ff302df2a64e6d12ff530bb461f9a93cf9b7c074699e834f59ef44

3.50 KB

/usr/local/mysql/lib/plugin/aepfnp32.so, /usr/local/mysql/lib/plugin/avbmpb32.so, /usr/local/mysql/lib/plugin/bgutwv32.so…

681c6aa7782eb7780ea4d0745ba9dfd0c20cd363e3f2976f7e76fe13984d364d

7.94 KB

/etc/rc.local, /etc/sed0wXgLk, /etc/sed4MzVBE…

bb32aeed4f6e2a1f5c8f0046658dd243954f07671e6757e0bfd77b937394b5fc

233 bytes

/usr/local/mysql/data/c:\winshell.exe

e05527f1dc3dda6510bc0c6342a776c66febdd455f9c6cdd3bc9c1c6d4495577

132.00 KB

C:\hexClientH.exe, C:\Windows\System32\hexClientH.exe, /usr/local/mysql/data/c:\winshell.exe

373386e8003f83aaaf619b744aac9039bfe104043171c793cc54ed8a8b961a87

41.00 KB

/tmp/xxsdwaklxxk, /tmp/xxsdwakxxs8848

5e7688c429bdf4657fa835970e62074c8c438c27ae2b993deb94b124caedb089

1.85 MB

/usr/local/mysql/data/mysql/\usr\local\mysql\bin\\nusql.dll, /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\nusql.dll

96a296d224f285c67bee93c30f8a309157f0daa35dc5b87e410b78630a09cfc7

2 bytes

/etc/rc.local, /etc/sedhdcAYI

cc1a30fe5d544f6aba5d28d6cdc2929b6a61fb5589d38cc8c5dcf2f5942d8708

247 bytes

/usr/local/mysql/data/lxxk

f7a19568a6a9072b67ad42b37b36a8d177f349f3b5f9731378a31123f1f9e874

3.21 MB

/usr/local/mysql/data/c:\winshell.exe

e00222d3bd40ace6a727bc4b186993b7cdcbec64ac450a9235c73590b865ada4

212.07 KB

/usr/local/mysql/data/c:\winshell.exe

ec811d6f457c0c6e2649de05cb7b2eb59284e6378cf9fdb04858f27e73a2e634

292.00 KB

/usr/local/mysql/data/c:\winshell.exe

655bb6dc836a212b104af44e9c1834ca105410b23391f67ccaf4546875160f54

48.00 KB

Attack Flow

Breached Services

MYSQL

Tags

Malicious Mysql Command

Create Mysql Table

Download File

MYSQL

100+ Sql Commands

Executable File Modification

Create Mysql Function

Drop Mysql Table

Incident Summary

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

Malicious MySQL commands were executed: DROP FUNCTION, DUMPFILE, INSERT INTO and UPDATE

Malicious Mysql Command

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf32.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf32.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin1.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin1.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

MySQL tables were dropped: mysql.yongger2

Drop Mysql Table

MySQL tables were created: mysql.yongger2

Create Mysql Table

Executable file /usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\cna12.dll was modified 4 times

Executable File Modification

/usr/local/mysql/data/mysql/\usr\local\mysql\lib\plugin\\cna12.dll was downloaded

Download File

Executable file /usr/local/mysql/data/mysql/..\bin\cna12.dll was modified 4 times

Executable File Modification

/usr/local/mysql/data/mysql/..\bin\cna12.dll was downloaded

Download File

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) xpdl3 implemented in /usr/local/mysql/lib/plugin/cna12.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf32.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf32.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/udf33.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xsa.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/xijin1.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/xijin1.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) shell implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshelv implemented in /usr/local/mysql/lib/plugin/udf.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) cmdshell implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) downloader implemented in /usr/local/mysql/lib/plugin/lib_mysqludf_sys.dll

Create Mysql Function

Connection was closed due to user inactivity