Overview 

 

The ASEC analysis team uses the AhnLab Smart Defense (ASD) infrastructure to categorize and respond to attacks on vulnerable MS-SQL servers. This report will cover the current state of damage to MS-SQL servers which have become the target of attacks based on the logs discovered in Q2 2024, and also discuss statistics on the attacks launched against said servers. Furthermore, the malware used in each attack will be categorized with a summary of the statistical details. Malware strains are categorized by type, such as CoinMiner, backdoor, Trojan, ransomware, and HackTool, and detailed statistics are also given for known malware in each category.

New attacks identified in Q2 2024 include the TargetCompany threat actor’s attack and an attack against a Korean ERP server. The TargetCompany ransomware group usually attacks poorly managed MS-SQL servers and installs Mallox ransomware, and its attacks have been ongoing for many years. However, through recently identified malware strains, a connection with attack cases in the past was found where Tor2Mine CoinMiner and BlueSky ransomware were distributed.

The TargetCompany group installs Remcos RAT by abusing the SQLPS tool in MS-SQL servers instead of PowerShell and may additionally install AnyDesk. There are also cases where AnyDesk is installed by using a remote screen control malware strain instead of being installed directly. This remote control malware was used in a past BlueSky ransomware attack case alongside Tor2Mine CoinMiner.

 

Figure 1. Remote screen control malware used in the attack

 

Besides such attacks, there are cases where SoftEther VPN was installed after attacking an ERP server of a Korean corporation. The threat actor attacked an MS-SQL service in the initial infiltration process and afterward installed a web shell in the ERP solution to maintain persistence and control the infected system. After these processes, the attacker ultimately installed SoftEther VPN to utilize the infected system as a VPN server.

It should be noted that the goal of the threat actor is not just to use the target ERP server as a VPN server. The configuration file used by the threat actor runs as a “Cascade Connection” type where it connects to another VPN server instead of just offering VPN services. Thus it is likely that the threat actor is using the server to enhance security and privacy as well as build a C&C infrastructure while avoiding tracking for the actual C&C server.

 

Figure 2. SoftEther VPN configuration file that connects to other VPN servers

 

 

Statistics

 

1.   Attacks Against MS-SQL Servers

 

The following statistics are based on the ASD logs for MS-SQL server-targeted attacks confirmed during the second quarter of 2024.