Poorly managed Microsoft SQL (MS SQL) servers are the target of a new campaign designed to spread a category of malware called CLR SqlShell which ultimately facilitates the spread of cryptocurrency miners and ransomware.
“Similar to a web shell, which can be installed on a web server, SqlShell is a type of malware that supports various features after being installed on an MS SQL server, such as executing commands from threat actors and performing all kinds of malicious behavior,” AhnLab Security Emergency Response Center (ASEC) said in a report published last week.
Stored procedures are subroutines that contain a set of Structured Query Language (SQL) statements for use in various programs in a relational database management system (RDBMS).
CLR (short for common language runtime) stored procedure – available in SQL Server 2005 and later – see stored procedure written in a .NET language such as C# or Visual Basic.
The attack method discovered by a South Korean cybersecurity company requires the use of CLR stored procedures Install malware on the MS SQL server using xp_cmdshell command, which invokes the Windows command shell and passes instructions as input for execution.
Some of the techniques used by threat actors, including those related to Lemon Duck, my king (aka DarkCloud or Smominru), and fully ripeconcerns the exploitation of an Internet-exposed MS SQL server through brute-force and dictionary attacks to execute xp_cmdshell commands and OLE stored procedures and run malware.
The use of CLR stored procedures is the latest addition to this list, with attackers leveraging SqlShell routines to download later-stage payloads such as Metasploit and cryptocurrency miners such as MrbMiner, MyKings, and LoveMiner.
What’s more, SqlShells named SqlHelper, CLRSQL, and CLR_module have been used by different adversaries to elevate privileges on compromised servers and launch ransomware, proxywareand incorporates the ability to conduct reconnaissance efforts on targeted networks.
“SqlShell can install additional malware such as backdoors, coin miners, and proxywareor it can execute malicious commands received from threat actors in a manner similar to WebShell,” ASEC said.