Server databases hosting the malware may be compromised

May 11, 2015 14:55 GMT  ·  By

Security researchers spotted a new method for distributing malware, where a banking Trojan is delivered to a compromised computer from a Microsoft SQL database available online.

This operation is not widespread and it is currently targeting users in Brazil, but cybercriminals in other parts of the world may soon copy learn the lesson and resort to the same tactic in an effort to escape detection from security products.

Final payload is a password stealer

One of the advantages of this method is that it makes it more difficult for system administrators to identify the source of the payload, researchers at Intel Security say.

Usually, malware is hosted on a domain registered by the attackers or a legitimate one that has been compromised. The user is then tricked to install a malware downloader on their system, which delivers the malicious payload by accessing the download URL.

During their analysis of multiple spam campaigns, researchers found a malware downloader written in Visual Basic that queries an online database to extract the final payload, a password stealer with support for multiple modules.

“Once executed on the user machine, the downloader will connect to the compromised database server, query the right table, and grab the full payload from the query response,” explains in a blog post Guilherme Venere from Intel Security.

Malware downloader spreads via financial-themed email

Apart from stealing credentials stored in the web browser, the malware piece can also disable G-Buster, a plugin deployed by financial institutions to protect their clients’ online banking sessions. Another capability is taking screenshots when financial accounts are accessed.

Venere says that all the info pilfered from the infected computer is also saved in a database, and the research revealed six nicknames belonging to individuals involved in the distribution and/or development of the malware.

The downloader for the banking Trojan is spread via emails with subject lines referring mainly to financial terms and claiming to deliver a document file in the attachment.

Alternatively, the cybercriminals provide a download link for the alleged document, which leads to a cloud storage location (Google Docs or Dropbox) hosting the script.

The researchers allege that the database servers the final payload comes from may have been compromised, because the malware samples do not stay online very long.