A downloader has been uncovered that uses Microsoft SQL to retrieve malware.
The downloader, dubbed WhiteShadow by security researchers at ProofPoint, is a malware delivery service that allows 'threat actors to potentially incorporate the downloader and associated Microsoft SQL Server infrastructure into their attacks.'
In August this year, malicious email campaigns were noted distributing Microsoft Word and Microsoft Excel attachments containing the WhiteShadow downloader Visual Basic macro.
When victims open a malicious document attachments and activate macros, WhiteShadow executes an SQL query against the Microsoft SQL Server databases. Malware is stored in the database as ASCII-encoded strings, which are decoded by the macro and written to disk as a PKZip archive of a Windows executable.
WhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server and execute queries.
'The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office,' the researchers say. 'Once the connector is installed on the system, it can be used by various parts of the Windows subsystem and by Visual Basic scripts including macros in Microsoft Office documents.'
Researchers have noted threat actors using WhiteShadow to install RATs, downloaders, and keyloggers including Agent Tesla, AZORult and Crimson.
While the campaigns employing this method have been relatively small (so far), the use of Microsoft SQL queries such as this, while not unheard of, are unusual in the wild.
