MELEE - A Powerful Tool for Detecting Ransomware in MySQL Deployments

MELEE - A Powerful Tool for Detecting Ransomware in MySQL Deployments

Cybercriminals are increasingly targeting exposed MySQL instances to conduct malicious activities such as data exfiltration, destruction, and extortion through ransomware. To address this growing threat, MELEE has been developed as a specialized tool for detecting ransomware infections in MySQL deployments.

This tool is designed to assist security researchers, penetration testers, and threat intelligence experts in identifying compromised MySQL instances running malicious code

Key Features of MELEE

MELEE offers a range of modules to facilitate the detection and analysis of ransomware infections in MySQL instances. Its capabilities include:

  • Information Gathering and Reconnaissance: Collect details about MySQL instances.

  • Exposure Assessment: Evaluate whether a MySQL instance is exposed to the Internet.

  • Access Permissions Analysis: Assess remote command execution permissions.

  • User Enumeration:

    • Enumerate MySQL database users.

    • Identify active users from the information_schema.process list.

  • Ransomware Infection Detection:

    • Perform basic checks for potential ransomware infections.

    • Conduct extensive scans to extract detailed information about infections, including ransom messages.

  • Scanning Support:

    • Works with both unauthenticated and authenticated MySQL deployments.

Tool Usage Guide

MELEE is a Python-based tool that can be executed via the command line. Below is an overview of its usage:

General Command Syntax:

python3 melee.py <mysql_host> <mysql_service_port> <mysql_username> <mysql_password> <module>

Supported Modules:

  • map_mysql_geoip: Map the GeoIP presence of the MySQL host.

  • check_anonymous_access: Verify if the remote MySQL host allows anonymous access.

  • enum_mysql_db_names: Enumerate all available databases.

  • enum_mysql_db_tables: List all tables in active databases.

  • enum_mysql_db_users: Enumerate all MySQL users.

  • enum_active_users: Identify all logged-in users from the process list.

  • check_ransomware_infection: Detect potential ransomware infections.

  • deep_scan_ransomware_infection: Perform a deep scan to retrieve infected resources and ransom messages.

Examples:

1.Basic ransomware infection detection:

python3 melee.py 99.34.123.xxx 3306 root root check_ransomware_infection

2.Deep scan for ransomware infections:

python3 melee.py 89.34.451.xxx 3306 root "" deep_scan_ransomware_infection

Considerations for Effective Use

  • For ransom message analysis, MELEE saves the extracted message as <mysql_host>_ransom_message.txt in the local directory.

  • When using the check_anonymous_access module, do not supply a password if testing with an anonymous user account.

  • For testing weak credentials, combinations like root:root or other common weak passwords can be used.

Developers and Acknowledgments

MELEE was developed by Aditya K Sood and Rohit Bansal, leveraging their expertise in malware research and threat intelligence. The tool empowers professionals to efficiently research and mitigate threats targeting cloud-based databases.

By integrating MELEE into your security workflows, you can proactively detect and analyze ransomware infections in MySQL instances, enhancing your overall cybersecurity strategy. You can learn more and Download MELEE in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog