Researchers from Imperva have discovered a new technique where attackers are disguising malicious code in a photo of Scarlett Johansson and targeting PostgreSQL servers to illegally mine Monero cryptocurrency.

Hackers have upped their game and are now using what appear to be benign image files, such as the one we found of Scarlett Johansson, to deliver malicious code. In this case, the code infected a Postgre database, and then conscripted its server into a Monero cryptomining bot that was part of a pool that at last look had made more than $90,000,” stated Elad Erez, director of innovation at Imperva.

In the case identified by Imperva researchers, the attackers are using the image of Scarlett Johansson as the attack vector.

To throw people off track, the attackers are hosting the malicious code as an image in – a legitimate website for hosting and sharing images.

The trick the attackers have employed is to append the malicious binary code into a real picture, in this case one of Scarlett Johansson with a file extension of PNG. This way the upload bypasses security filters as it is downloaded, and is viewable and most importantly appears benign.  Yet the payload is still there – in this case it is binary code right after the bytecode that represents the PNG image.

Once downloaded, and the payload extracted, its target system is then conscripted to a Monero Cryptomining pool, and the systems resources are no longer fully available for its original intent.

To avoid being hit by the attack, Imperva recommend the following:

  • Watch out of direct calls to lo_export or indirect calls through entries in pg_proc
  • Beware of functions calling to C-language binaries (as in Figure 2)
  • Use a firewall to block outgoing network traffic from your database to the internet
  • Make sure your database is not assigned with public IP address. If it is, restrict access only to the hosts that interact with it (application server or clients owned by DBAs)