A recent campaign has emerged targeting poorly managed Microsoft SQL (MS SQL) servers, aiming to propagate a type of malware known as CLR SqlShell.
This malware allows threat actors to execute commands and engage in various malicious activities on the compromised MS SQL servers. AhnLab Security Emergency Response Center (ASEC) highlighted this threat in a recent report.
CLR (common language runtime) stored procedures, written in .NET languages like C# or Visual Basic, are utilized to install the malware in MS SQL servers.
The attack method identified by the South Korean cybersecurity firm involves the use of CLR stored procedures to exploit vulnerable MS SQL servers. This method joins other approaches, including the xp_cmdshell command, which spawns a Windows command shell for execution.
Threat actors associated with LemonDuck, MyKings, and Vollgar have employed techniques such as brute-force attacks and dictionary attacks on internet-exposed MS SQL servers to execute malware using xp_cmdshell commands and OLE stored procedures.
The use of CLR stored procedures marks a new addition to the attackers’ arsenal. They take advantage of SqlShell routines to download subsequent payloads, including Metasploit and cryptocurrency miners like MrbMiner, MyKings, and LoveMiner.
Threat actors have also utilized SqlShell variants such as SqlHelper, CLRSQL, and CLR_module to escalate privileges, launch ransomware attacks, introduce proxyware, and carry out reconnaissance activities in targeted networks.
According to ASEC, SqlShell has the capability to install additional malware, such as backdoors, coin miners, and proxyware. It can also execute malicious commands received from threat actors, similar to web shells.
The campaign highlights the importance of properly managing MS SQL servers and implementing robust security measures to protect against these attacks.
