CoinMiner Being Distributed to Vulnerable MS-SQL Servers

The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The previous blogs explained the distribution cases of Cobalt Strike and Remcos RAT, but the majority of the discovered attacks are CoinMiners.

– [ASEC Blog] Remcos RAT Being Distributed to Vulnerable MS-SQL Servers
– [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers
– [ASEC Blog] Cobalt Strike Being Distributed to Vulnerable MS-SQL Servers (2)

This blog will explain a specific form of CoinMiner that has been consistently distributed since last year up until now, which also makes up the majority of attacks. According to AhnLab’s ASD infrastructure, in systems installed with this specific CoinMiner, detection logs of Vollgar CoinMiner are also being found. Vollgar is a typical CoinMiner that is installed via brute force attacks against MS-SQL servers with vulnerable account credentials, and it appears that the CoinMiner of focus will also use the same method.

Figure 1. Attack flow

The precise attack method and the command that was used cannot be confirmed, but according to the collected logs of file creation and execution, the attacker first created a sqlbase folder in MS-SQL data folder (E.g. %ProgramFiles%\microsoft sql server\mssql13.mssqlserver\mssql\data) and created a malware named SqlBase.exe in the path. The malware is then created and executed in the path by the sqlservr.exe, which is a MS-SQL server process.

SqlBase.exe is a downloader malware of a simple form developed with .NET (See figure below), which downloads settings data and CoinMiner from C&C server and installs them.

Figure 2. Main routine of SqlBase.exe

The settings data is downloaded from the URL below, but as it is encrypted with Base64 and AES, it needs to be decrypted.

  • Settings data download URL: hxxp://dl.love-network[.]cc/config.txt
Figure 3. Data encrypted with Base64 and AES and its decryption routine

The decrypted data is in XML format and contains the version information and the argument that will be used when executing XMRig CoinMiner.

Figure 4. Decrypted settings data

It then downloads XMRig malware packed with VMP in the following URL. The data.mdf file is a compressed file in the zip format, and it contains XMRig CoinMiner. Sqlbase.exe decompresses XMRig in the same path under the name of sqlconn.exe.

  • XMRig download URL: hxxp://dl.love-network[.]cc/data.mdf
Figure 5. Settings data used by the downloader

The compressed data.mdf file disguised by the attacker has the mdf extension, which is a primary data file used in MS-SQL. Upon looking at the actual MS-SQL data folder %ProgramFiles%\microsoft sql server\mssql13.mssqlserver\mssql\data\, numerous MS-SQL related data files such as mdf files and ldf (log file) can be seen.

Figure 6. Data files in the data folder

When all the processes above are over, it assigns hidden and system properties to the XMRig file and executes XMRig along with the user account credentials and URL of the argument of the settings data obtained above (a.k.a the mining pool) to perform mining in the infected system.

Figure 7. Coin mining packet

Typical attacks that target MS-SQL servers include brute force attacks and dictionary attacks to systems where account credentials are poorly being managed. Although it seems like these methods make up the majority of the attacks, there can be vulnerability attacks against systems where their vulnerability has not been patched.

Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, and maintain the latest patch to prevent vulnerability attacks. Administrators should also use security programs such as firewalls for database servers accessible from outside to restrict access of external attackers.

The following are paths where the SqlBase.exe file, the initial malware installed by the attacker was created in. These show the MS-SQL systems that were targeted for attack.

%ProgramFiles%\microsoft sql server\mssql13.mssqlserver\mssql\data\sqlbase\sqlbase.exe
%ProgramFiles%\microsoft sql server\mssql12.sqlexpress\mssql\data\sqlbase\sqlbase.exe

%ProgramFiles%\microsoft sql server\mssql10_50.d*****20\mssql\data\sqlbase\sqlbase.exe
%ProgramFiles%\microsoft sql server\mssql10_50.d*****016\mssql\data\sqlbase\sqlbase.exe
%ProgramFiles%\microsoft sql server\mssql10_50.i***e\mssql\data\sqlbase\sqlbase.exe
%ProgramFiles%\microsoft sql server\mssql10_50.i*****20\mssql\data\sqlbase\sqlbase.exe
%ProgramFiles%\microsoft sql server\mssql14.d*****e\mssql\data\sqlbase\sqlbase.exe

%ProgramFiles% (x86)\microsoft sql server\mssql10_50.o—em\mssql\data\sqlbase\sqlbase.exe

MS-SQL is sometimes manually downloaded for a certain purpose, but it can also be installed by other programs that need a database management system. Upon looking at the logs above, it appears that other than the paths of normal MS-SQL servers, MS-SQL servers that have been installed by ERP and work-purpose solutions were targeted for attack as well.

As MS-SQL installed by other work-purpose programs can be attacked as well as manually-installed MS-SQL, users must pay attention to vulnerability patching and account management.

AhnLab detects and blocks the malware above using the aliases below.

[File Detection]
– CoinMiner/Win.Agent.C4420300 (2021.04.24.00)
– CoinMiner/Win.LoveMiner.R472804 (2022.02.16.01)
– CoinMiner/Win.XMRig.R424798 (2021.08.07.00)

[IOC]
MD5

– SqlBase.exe : fe3659119e683e1aa07b2346c1f215af
– sqlconn.exe : b11d7ac5740401541bc1be33dd475e00

XMRig Mining Pool
– serv1.love-network[.]cc:2082

Download
– hxxp://dl.love-network[.]cc/config.txt
– hxxp://dl.love-network[.]cc/data.mdf

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments