Researchers Discover New Downloader that Uses Microsoft SQL for Delivering Malware

• A new downloader that evades detection techniques and Microsoft SQL queries to inject malicious payloads in compromised systems has been detected.
• Dubbed WhiteShadow, it is delivered through emails with malicious links or Microsoft Word and Excel attachments.

An overview

When the victim opens the malicious email and accesses attachments with macros, malware payloads infect the system.

• This malware is stored as ASCII-encoded long strings in the database.
• WhiteShadow uses a large array of malware strains downloaded from the Microsoft SQL Server which is under the control of attackers.
• The malware was observed by researchers at Proofpoint, who published a report detailing their analysis.

Attack campaigns

The malware was first seen in August, after which multiple campaigns have been observed.

• The first few campaigns didn’t have any measures to evade detection, but the later campaigns included methods like code obfuscation and intentional misspelling of variables. This was probably done to avoid automatic detection.
• Most of the WhiteShadow campaigns were observed to deliver the Crimson malware.
• Keylogger strains such as Orion Logger, Remcos, and Nanocore were among the other malware delivered in these campaigns.

“It appears that WhiteShadow is one component of a malware delivery service, which includes a rented instance of Microsoft SQL Server to host payloads retrieved by the downloader,” say the researchers.

The takeaway

Researchers recommend that organizations monitor incoming emails and outbound traffic on TCP port 1433. The port must either be blocked on restricted on ACL configuration in the firewall.

The report also lists the Indicators of Compromise (IOCs) to help organizations secure detect infiltration of this malware.