Distribution of Remcos RAT Exploiting sqlps.exe Utility of MS-SQL Servers

AhnLab Security Emergency response Center (ASEC) has recently discovered the case of Remcos RAT being installed on poorly managed MS-SQL servers.

Unlike the past attack, the recent case showed the threat actor using sqlps to distribute the malware. Sqlps is SQL Server PowerShell and is included in the SQL Server installation procedure[1]. SQL Server Powershell allows users to use the Powershell cmdlet which is needed to manage SQL Server instances. The attacker exploited this trait in distributing the malware.

Figure 1. AhnLab Smart Defense (ASD) log 1

Figure 2. AhnLab Smart Defense (ASD) log 2

Figures 1 and 2 show AhnLab’s AhnLab Smart Defense (ASD) logs. One can see how the threat actor breaches poorly managed MS-SQL servers and uses the sqlps command to download the malware in the %temp% directory before executing it. The malware installed is a file written with QSetup Installation Suite. QSetup Installation Suite is an installer maker that can be used in Windows operating systems. When the malware is run, the following files are generated in the temp directory and the Dust file is executed.

Figure 3. Files created through QSetup

Figure 4. Dust execution command

The Dust file created in the temp directory in Figure 3 is an obfuscated VBS script file and executes the command shown in Figure 4. It creates a folder with a random name and combines the files in the temp path to make an installer. The generated installer is a normal AutoIt executable.

The Lone file generated in the temp path in Figure 3 is an obfuscated AutoIt script file. Lone is executed through the generated normal AutoIt executable, which then decrypts Remcos RAT to inject and run it. The executed Remcos RAT attempts to connect to[:]2290 to gain remote control features on files and process tasks in the infected system.

Typical attacks that target MS-SQL servers include brute force attacks and dictionary attacks on systems where account credentials are poorly managed. Admins must also use passwords that cannot be easily guessed and change them periodically to protect the database servers from brute force and dictionary attacks.

Users must practice caution by updating V3 to the latest version to block malware infection in advance. In addition, admins should use security programs such as firewalls for database servers accessible from outside to restrict access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur.

[File Detection]

  • Trojan/Win.Agent.C5361921593(2023.05.09.02)
  • Backdoor/Win.BT.C523552(2022.09.29.02)
  • Trojan/Win.RemcosRAT (2023.02.18.00)

[Behavior Detection]

  • Malware/MDP.Download.M1197
  • Execution/MDP.Powershell.M4602
  • Execution/MDP.Powershell.M4604


  • a6b930401417a341092dbfd48399c92b
  • 55233743d7c15b0a417233becc07dcb4
  • 2677b8022e9fd3c18334dd672e16f457
  • hxxp://201.93.255[.]219/DZVcjxP.exe
  • hxxp://201.93.255[.]219:3823/DZVcjxP.exe
  • 80.66.75[.]51:2290


1) https://learn.microsoft.com/ko-kr/sql/powershell/sql-server-powershell?source=recommendations&view=sql-server-ver16

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments