Gh0stCringe RAT makes database servers squeal for protection

Gh0stCringe RAT makes database servers squeal for protection

Researchers have found that the Gh0stCringe RAT is infecting Microsoft SQL and MySQL, and seems to focus on servers with weak protection. The Gh0stCringe RAT communicates with a command and control (C&C) serverto receive instructions and is capable of exfiltrating information.


SQL is short for Structured Query Language and usually pronounced as “sequel.” SQL is a standard language used to query and change the content of databases. It was originally designed to perform business analyses. But with the implementation of product-specific application programming interfaces (API) and the growth of online applications, it quickly became more widely used.


Gh0stCringe, also known as CirenegRAT, is a malware variant based on the code of Gh0st RAT. The Gh0st RAT source code was publicly released, so we’ve seen quite a lot of malware based on this code. Remote Access Trojans (RATs) are programs that provide the capability to allow covert surveillance or the ability to gain unauthorized access to a victim system.

Gh0stCringe RAT is a RAT malware that connects to a C&C server and performs various malicious actions after receiving commands from the attacker. The attacker can designate various settings to Gh0stCringe just like other RAT malware. One of those options the Gh0stCringe RAT provides is a keylogger. Keylogging enables the threat actor to steal login credentials and other sensitive information.

For a full technical analysis we would like to refer you to the researchers’ post.


According to the researchers, the threat actors behind Gh0stCringe are targeting poorly secured database servers with weak account credentials and no oversight. On the infected servers they found evidence of previous infection by minersusually distributed through brute force attacks.

Security of SQL Server environments is considered to be among database administrators’ prime responsibilities. It is up to each database administrator to configure security features, or use additional security measures as needed, to address the security and compliance requirements of their data and applications.

Microsoft SQL Server provides several built in features that enable security, including encrypted communication over SSL/TLS, the Windows Data Protection API used to encrypt data at rest, authentication and authorization.

MySQL provides robust data security to protect data including secure connections, authentication services, fine-grained authorization and controls, and data encryption.

The problem is that there are a few very different security issues to be considered when it comes to an internet-facing SQL server. Administrators have to implement security to protect their system(s) against SQL database vulnerabilities, SQL injection attacks, and brute-forcing SQL credentials on top of every other security measure that applies to such servers.

How to avoid RATs

There are some basic actions that can be taken to lessen the chance of RATs and miners making use of your SQL servers.

  • Use a strong password policy, keeping in mind the importance of the server and the data on it.
  • Apply patchesin a timely manner and keep the number of applications, which all need to be patched, to a minimum.
  • Actively manage the user accounts that have access, and their privileges.
  • Use monitoring and logging to keep an eye on what is going on.

There are some tell tale signs that could give away the presence of the Gh0stCringe RAT. The method of keylogging it uses is know to cause high CPU-usage. And below are some IOCs.



  • mcsql.exe

C&C servers:



  • bd8611002e01d4f9911e85624d431eb0
  • 9adc9644a1956dee23c63221951dd192
  • 782cbc8660ff9e94e584adfcbc4cb961

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.