Gh0stCringe is what is referred to as a remote access trojan. remote access trojans are used to remotely take control of a desired target device. The delivery method for this type of malware varies. While there has not yet been a documented infection vector, it is my belief, due to the nature of the targets, , namely SQL and MySQL databases without strong login credentials and weak security, it is only a matter of time before its use is widespread.

When deployed, Gh0stCringe runs its initial program in the background to infect registry keys and obfuscate itself into sqlserver.exe, mysqld.exe, and mysqld-nt.exe. Once the malware has fully infected the machine it can then communicate with a predetermined control node via remote execution to exfiltrate data, act as a keylogger, execute commands, or even remotely install other malware. As an example, reports indicate that Gh0stCringe is being used to install cryptominers onto exploited servers.

Thoughts and recommendations

Gh0stCringe appears to be designed to target low hanging fruit on servers that aren't secured well, or where IT specialists are not well versed in SQL security. Immediate implementation of strong password and prevention of non local access should be implemented. Increased network and equipment security for connected devices to the SQL servers is paramount to preventing various types of attacks on SQL systems.