A Chinese threat actor has been targeting MSSQL and MySQL databases on Windows and Linux systems all year, deploying one of three malware strains, each with its own design and purpose.

The group has been active since early this year and is using a sprawling infrastructure to scan for vulnerable hosts, launch attacks, and host malware. This wide-reaching infrastructure and unrelated malware strains have helped the group remain hidden in a cloud of previously unlinked incidents for most of the year.

Attackers deployed three new malware strains

According to a report released yesterday, after many months of tracking mysterious attacks, security researchers at GuardiCore have finally managed to piece together and interlink the attacks.

Looking over the attacking group's operations, researchers say they spotted three main campaigns, each distributing a new strain of never-before-seen malware.

The first wave of attacks targeted Windows servers running MSSQL databases, on which attackers deployed a malware strain named Hex that acted as a Remote Access Trojan (RAT) and as a crypto-mining trojan.

The second wave also targeted MSSQL databases running on Windows servers, but this time around the attackers left behind a malware strain named Taylor, which worked as a keylogger and backdoor.

Attackers diversified their attacks for the third wave, which scanned for vulnerable MSSQL and MySQL databases running on both Windows and Linux servers. For these attacks, hackers installed a new malware strain named Hanako, a trojan used for launching DDoS attacks.

Hex, Taylor, and Hanako

Attackers were very careful to mask malicious operations

Hackers broke into vulnerable servers by configuring each previously infected server to scan a small number of IP addresses and find other database servers that used weak login credentials.

Attackers paid special attention to limit the scanning behavior to a small number of IPs so infected hosts wouldn't scan a large number of other servers, and also relied on infected hosts to perform the scan so that they wouldn't expose too much of their central command-and-control (C&C) infrastructure.

Attackers also switched from one malware strain to another, intertwining campaigns, and generating around 300 unique malware binaries per attack wave. In addition, they also constantly rotated C&C servers and domains, something you don't regularly see except in nation-state-level attacks.

Attackers went after cloud infrastructure

According to GuardiCore, attackers went scanned for Azure and AWS public IP ranges, which are publicly known. They hoped to find an enterprise cloud server running with weak credentials that was storing troves of sensitive information.

While attackers focused on remaining under the radar of advanced security products, some campaigns hit tens of thousands of servers. For example, a campaign distributing the Taylor malware targeted over 80,000 servers in March.

This particular malware strain, named after an image portraying US singer Taylor Swift that researchers found on one of its C&C servers, was previously misidentified by Kaspersky as a Windows variant for the Mirai malware in February.

Kaspersky researchers shouldn't feel bad about their initial findings, mainly because the entire operation was very well cloaked. For example, GuardiCore described its experience of researching these attacks as "an escape room experience where one clue leads to another."

In this case, the escape room challenge kept researchers busy for almost a year. Despite the complicated research, GuardiCore feels confident it at least identified the attacker's possible location.

Attackers most likely based in China

"Ample evidence suggests that the attack group is based in China," say researchers. "Comments in Chinese are routinely found in the code, the majority of victims are based in Mainland China, the Trojan RAT disguises itself as a popular Chinese program and configuration files list email addresses from popular Chinese providers."

For the time being, MSSQL and MySQL server owners should make sure they use a solid password for their database accounts, use a firewall that can block brute-force attacks, and should also check their system for the presence of the following database admins accounts, used by attackers to create backdoors on compromised systems.


Other indicators of compromise (IoC) are available in GuardiCore's report. Earlier in the year, GuardiCore also exposed BondNet, a botnet of over 15,000 Windows Server machines that was being used for cryptocurrency mining. Researchers said they believed BondNet, too, was being operated out of China.

Also yesterday, McAfee published a report on the generic make-up of Chinese cybercrime hacking crews and their regular mode of operation that might provide some context for the current article.