Threat Actors Exploit Oracle Database Scheduler to Infiltrate Corporate Networks

Threat actors have begun exploiting the Oracle Database Scheduler’s External Jobs feature to execute arbitrary commands on corporate database servers, enabling stealthy initial footholds and rapid escalation of privileges.

By abusing the extjobo.exe executable, attackers can run encoded PowerShell commands, establish encrypted tunnels with Ngrok, and deploy ransomware, all while evading detection through aggressive cleanup routines.

In a recent incident response engagement, investigators discovered that attackers targeted an exposed Oracle Database instance by repeatedly attempting to connect as the SYS user.

Initial failed logins yielded error code 28009—indicating valid credentials without the SYSDBA clause—confirming that valid SYSDBA credentials had been obtained.

The entry point detected was the use of a function of Oracle DBS, an exposed service active on their Database Server, which allowed the execution of commands remotely. 

With these privileges, the threat actor invoked the Database Scheduler’s External Jobs component (extjobo.exe), which listens on a named pipe and executes received commands with the same privileges as the Scheduler service.

Using extjobo.exe, the attacker created and executed a Base64-encoded PowerShell script that gathered system information, invoked WSMan to run commands remotely, and downloaded additional payloads from a command-and-control (C2) server at 80.94.95.227.

These payloads, named sequentially (e.g., tfod.cmd), were deleted immediately after execution, preventing forensic analysis of their contents. Evidence suggests the attacker leveraged code from an open-source GitHub project for Oracle scheduler abuse, adapted to spawn a TCP reverse shell on the compromised server.

Encrypted Tunneling and Lateral Movement

After establishing initial code execution, the intruder deployed Ngrok to tunnel Remote Desktop Protocol (RDP) traffic from an on-premises database server to the internet.

A configuration file containing the attacker’s authentication token was written to ngrok.yml, and Ngrok was started, exposing the RDP port (3389) over an encrypted channel.

The attacker then forced a local account creation (“Admine”), elevated its privileges, and successfully connected via RDP through the Ngrok tunnel.

The creation of the Ngrok executable in the path “C:\Users\Public\ngrok.exe” was also noted, as visible in the following figure, which suggested a direct link between the “ngr.bat” file and the “ngrok.exe” executable.

Privilege escalation followed, with the malicious use of Process Hacker (renamed PT.exe) and Potential token manipulation via Task Manager to assume a domain administrator account.

The attacker performed a network logon (Type 3) as an administrative user, granting full control over the database server.

With elevated access secured, the actor staged a ransomware payload (“win.exe”) within the PerfLogs directory and set up a scheduled task named “Windows Update BETA” to execute it at system startup under NT AUTHORITY\SYSTEM.

Execution logs recorded the creation of an encryption log file (mcv.dll) that documented encrypted resources. The ransomware encrypted files with a novel extension, generated the “ElonsHelp.txt” ransom note, and embedded contact emails for negotiation.

Post-encryption, the attacker executed a registry modification under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options to disable Ngrok at startup, ensuring the encrypted tunnel would not persist.

Finally, all executed tools and payloads—including Ngrok, tfod.cmd, ngr.bat, and ss.exe—were removed via delayed deletion commands (ping 127.0.0.1 delays), and scheduled tasks were deleted to eliminate forensic traces.

Mitigations

Organizations using Oracle Database Scheduler should implement the following controls:

1. Restrict network access to Oracle management ports and disable External Jobs if unused.
2. Enforce multi-factor authentication for database administrators and monitor for atypical SYSDBA connections.
3. Deploy host-based monitoring to detect use of extjobo.exe, unexpected PowerShell activity, and unauthorized scheduled tasks.
4. Control the installation of tunneling software by whitelisting approved binaries and monitoring for Ngrok configurations.
5. Maintain robust backup and recovery processes, ensuring encrypted or tampered logs can be restored for incident analysis.

By proactively securing Oracle Scheduler features and enhancing visibility into privileged command execution, defenders can thwart similar intrusion attempts and safeguard critical database environments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.