New Trojan Uses SQL Server for C&C
29.5.18 securityweek

A recently discovered banking Trojan leverages Microsoft SQL Server for communication with the command and control (C&C), IBM has discovered.

Dubbed MnuBot, the malware uses the database server for communication with the bot and to send commands to the infected machines. The Trojan features two components, each in charge of a different phase of a two-stage attack flow.

During the initial stage, the malware searches for a file called Desk.txt within the %AppData%Roaming folder. This file lets MnuBot know which desktop is currently running and, if it exists, the Trojan does nothing, because it knows it runs in a new desktop.

If the file doesnít exist, then MnuBot creates it and a new desktop, and then switches the user workspace to the new desktop, which runs alongside the legitimate user desktop.

On the newly created desktop, MnuBot constantly checks the foreground window name and, if it finds a name similar to a bank name in its configuration, the malware queries the server for the second stage executable corresponding to that bank name.

The executable, which is saved as C:\Users\Public\Neon.exe, is actually a Remote Access Trojan (RAT) that provides the attacker with full control over the target machine. It also includes functionality unique to MnuBot, IMB explains.

Once the infection stage has been completed, the malware connects to the C&C server to fetch the initial configuration. The necessary SQL server details, such as server address, port, username and password, are hardcoded inside the malware in an encrypted form (they are decrypted dynamically just before initializing the connection).

Strings in the configuration include queries the malware should perform, supported commands, files to interact with, and targeted bank websites. Should the configuration be missing, MnuBot shuts itself down, meaning no malicious activity is performed on the infected machine.

The attackers can dynamically change MnuBotís malicious activity by modifying the configuration directly on the server, and can also prevent researchers from reverse engineering the malware sample behavior if the author takes the server down.

Once the user opens the webpage of a targeted website, the second-stage payload provides the malware operator with an open session to the bankís website, directly from the victim machine.

The malware provides the operator with the ability to create browser and desktop screenshots, log keystrokes, simulate user clicks and keystrokes, restart the victim machine, uninstall Trusteer Rapport from the system, create a form to overlay the bankís page and steal the data the user enters there.

To send commands to the victim machine, the attacker updates specific columns inside a table stored in a database named jackjhonson. Columns there are meant to identify the type of command to be executed, to simulate a user click, to store screenshot bmp images from the infected machines in case a screenshot is needed, and to store the input required for input insertion commands.

MnuBot uses a full screen overlay form to prevent users from accessing the legitimate banking website and to trick them into revealing sensitive data. In the background, the malware operator takes control over the system and attempts to perform an illegal transaction via the already opened banking session.

The operator also asks the user for additional details if needed, using another overlaying form. The executable downloaded during the second stage of the attack contains the relevant social engineering forms the cybercriminals need for their nefarious operations.

MnuBot, which was observed targeting users in Brazil, is a great example of how malware authors constantly attempt to evolve their creations to evade regular anti-virus detection. In this case, they attempted to hide malicious network communications using seemingly innocent MS SQL traffic.