Overview Statistics 1. Attacks Against MS-SQL Servers 2. Categorization of Malware Used in Attacks    2.1. Trojan    2.2. HackTool    2.3. Backdoor    2.4. CoinMiner    2.5. Downloader & Ransomware Conclusion

 

Overview

 

The ASEC analysis team uses the AhnLab Smart Defense (ASD) infrastructure to categorize and respond to attacks on vulnerable MS-SQL servers. This report will cover the current state of damage to MS-SQL servers, which have become the target of attacks, based on the logs discovered in Q3 2024, and also discuss statistics on the attacks launched against said servers. Furthermore, malware used in each attack will be categorized with a summary of the statistical details. Malware are categorized by type, such as CoinMiner, Backdoor, Trojan, Ransomware, and HackTool, and detailed statistics are also given for known malware in each category.

A new attack identified in Q3 2024 involves the abuse of GotoHTTP. [1] GotoHTTP, like other remote control tools, provides remote screen control. If you know the “Computer Id” and “Access Code”, you can use them to control a system remotely once GotoHTTP is installed on the infected system. When GotoHTTP is executed, it creates a configuration file named “gotohttp.ini” in the same directory, which stores the “Computer Id” and “Access Code”. It is presumed that the threat actor accessed systems remotely by stealing the “gotohttp.ini” file that is generated after installing GotoHTTP on infected systems.

 

Figure 1. GotoHTTP website

 

The targeted systems are publicly accessible and are presumed to use weak credential information. After the initial breach, the threat actor first installed CLR SqlShell. SqlShell is a tool similar to WebShell, which can be installed on a web server. It can be installed on an MS-SQL server to execute the threat actor’s commands or perform various malicious activities.

 

The threat actor used the installed SqlShell to execute commands that retrieve information from the infected systems. Subsequently, they installed tools for privilege escalation, such as PetitPotato, SweetPotato, JuicyPotato, GodPotato, PrintNotifyPotato, LocalAdminSharp, and malware for setting or adding user accounts.

 

Figure 2. MS-SQL server executing threat actor’s commands

 

After completing the initial process, the threat actor installed GotoHTTP and simultaneously installed malware responsible for resetting existing user account passwords or adding user accounts. The backdoor account added in this manner can later be used by the threat actor for remote control using RDP.

 

Statistics

 

1. Attacks Against MS-SQL Servers

 

The following statistics are based on the ASD logs for MS-SQL server targeted attacks confirmed during the third quarter of 2024.