Newly Discovered Downloader Uses MSSQL to Deliver Malware

October 18, 2019
mssql malware whiteshadow

Cyber Security Analysts have just discovered and documented the birth and development of a downloader that utilizes Microsoft SQL query to acquire and spread malicious malware packages.

Just last August, several cyber security analysts found the new, arranged downloader, known as WhiteShadow, which is being utilized to spread an assortment of malware to vulnerable frameworks.

The cyber security analysts said on Friday last week that WhiteShadow gives off the impression of being a malware-delivery-service, given its quality presence in several campaigns used to spread malware including Remote Access Trojans (RATs), with the likes of – Agent Tesla, Crimson RAT, AZORult, and keyloggers.

In several phishing email attacks recorded and propelled during August 2019, cyber security analysts discovered WhiteShadow prowling in malignant Microsoft Word and Microsoft Excel connections, maneuvered into infected network systems by moving in way of Visual Basic macros.

On the off chance that the user of an infected machine allowed the macros to become activated, this  new downloader would begin its work by calling and executing SQL queries acquired from Microsoft SQL Server databases controlled – and leased – by hackers.

The downloader – WhiteShadow – utilizes a SQLOLEDB connector to establish a remote link to the database and perform a barrage of queries. Malware is then stored and disguised as strings which are ASCII-encoded in the database. Once executed and called upon by WhiteShadow, the payload will write to the hard drive as a PKZip encrypted archive of a Windows executable.

The script that gets released from the PKZip archive in the next step of the infection process is a signal for the malware to initiate the installation process for the final payload that can be one of the several strains identified in older, more previous attacks. This would appear to be a new malware delivery system, which would allow  a group of hackers to potentially lace the downloader and associated Microsoft SQL Server infrastructure into their future attacks.

The SQLOLEDB connector is an executable database connector from Microsoft yet is incorporated of course in many (if not all) establishments of Microsoft Office. When this executable connector is introduced on the network system, it may very well be utilized by different pieces of the Windows subsystem and by Visual Basic script contents incorporating macros in Microsoft Office records.

Once the malignant malware payload is introduced – it becomes dependent on design settings put away in a VBScript content inside the infected attachment. Early attack signs singles out Crimson – a malware family that has been associated with several malware campaigns against several military and government outfits. The malware is equipped with info-stealing capacities, can perform image snipping , list script processes, and acquire and encrypt messages from Outlook.

NOTE: Crimson is yet to be identified to have any connection to previous malware campaigns.

About the author

Leave a Reply