Posted on May 30, 2018 at 3:26 PM
New Banking Trojan was Found Hiding in the MSSQL Traffic
The researchers from IBM have uncovered yet another new banking trojan. The trojan was named MnuBot, and has already become infamous for using various new tricks to avoid detection. As of yet, the trojan has only been targeting Brazil.
New banking trojan discovered
More and more malicious software is being found almost every day, and IBM’s researchers have certainly done their job in detecting them. Their newest discovery includes a new banking trojan by the name of MnuBot, which has proved to be quite skilled in hiding from detection. The researchers have reported that the trojan was written in Delphi, and it is currently targeting Brazil. Despite the fact that Trojans like this are usually not so sophisticated, this one has proven to be a cunning one, due to an unusual trick that employs in order to hide itself.
Attacker controls the trojan through MSSQL database
IBM Security’s Trusteer group’s researcher by the name of Jonathan Lusky has stated that MnuBot is controlled remotely, through the use of MSSQL (Microsoft SQL) database. This is not a usual way for a malware to act, since most of them are connected to web apps or servers, and to establish a connection to a database itself is a very rare occurrence.
Lusky has published his report, and in it, he states that the encrypted credentials were found in the MnuBot’s source code. By using them, the trojan is capable of establishing a connection to a remote database. Upon infecting a device, it will decrypt the credentials and then use them to connect to a remote server.
After doing that, all communication that the malware will have with the server will be masked as SQL traffic, which makes it even harder to detect it. Basically, the trojan is free to send command requests, as well as to receive them, without giving the user a cause for suspicion. According to Lusky, this was probably done in order to evade detection by the computers’ antivirus which is tracking potential malware traffic.
Trojan’s creators know what they are doing
Obviously, whoever created this trojan knew exactly what they were doing, which indicates that its developer is a professional crew with a lot of experience. This was further confirmed by additional advantages that this design can offer. One example of this is the fact that the user of MnuBot has the potential to establish full control over its actions at any time. This can be one thanks to the fact that the trojan is getting its configuration files via the MSSQL server, instead of bringing it in as a part of its own data.
Basically, the attacker can use this to their advantage and send updates with additional orders, that would allow the trojan to target new banks in an instant. Additionally, the team can cut off their connection to the malware if they feel threatened, which would make it completely unresponsive. It would act as if it lost the signal, and stopped operating, which would prevent the researchers from studying it.
Obviously, the developers of the malware are not doing this for the first time, especially considering that the trojan is extremely advanced, even though it was made in Delphi.
Trojan’s design is modular
Upon studying the trojan, researchers have discovered that it was made out of two separate components. The first one serves for infecting the target’s device, and checking whether the device has a file called ‘Desk.txt’ as part of its AppData Roaming folder. If the file is found, then the malware will know that this particular device was already infected, and it can move on.
If there is no such file, MnuBot’s first component will create it, and open a completely new desktop, hidden from view, where it will continue its operation. All of this data will be stored in the Desk.txt file which the component has previously created.
Then, there is the second component, and this one is similar to a RAT (Remote Access Trojan). It is this part of the trojan that is capable of ‘talking’ to the MSSQL database, and of performing various actions, depending on the orders it receives. Some of the actions that it can do include restarting the pc, simulating clicks or keyboard inputs, uninstalling apps, retrieving files, etc.
This new version of the trojan is especially effective since it is a new step towards an unexplored field of malicious infections. Brazilian banks are not known for their ability to handle threats even on their best day, which makes this new threat that much more dangerous.