kamiran.asia 5 Posted June 12, 2021 Share Posted June 12, 2021 Hi Dears. In these two weeks our support team find some SQL Servers infected with this problem : Many ESET FS Event log that show sqlservr.exe want to download hxxp://dl.love-network.cc/SqlBase.exe So ESET block it by webAccessProtection . info : Port 1433 was open on internet. ( We force customer to secure this port with vpn or ...) how can we find these command are run from to clean it manually ? This is the ESET Log Collector log : https://we.tl/t-OeSUn9AXTc Link to comment Share on other sites More sharing options...
kamiran.asia 5 Posted June 12, 2021 Author Share Posted June 12, 2021 As we analyze sqlBase.exe : it's a Trojan Downloader that install a coin-miner (SqlConn.exe) that ESET detect it as Win64/CoinMuner.FQ. But still we did not find how SQL Server run Download command !? No Job or Schedule task , .. Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 12, 2021 Share Posted June 12, 2021 For starters on an infected device check if the following exists: %WINDIR%\\FONTS\\SQLCONN.EXE Link to comment Share on other sites More sharing options...
kamiran.asia 5 Posted June 12, 2021 Author Share Posted June 12, 2021 36 minutes ago, itman said: For starters on an infected device check if the following exists: %WINDIR%\\FONTS\\SQLCONN.EXE Dear @itman, There is no SQLCONN.EXE in that location, even we can't find sqlconn.exe in sysinspector log ( https://we.tl/t-OeSUn9AXTc ). Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 12, 2021 Share Posted June 12, 2021 (edited) What about sqlbase.exe since this is the malicious parent process? Does that show in SysInspector? BTW - I believe a malicious sqlbase engine was installed. Also it appears you found the malicious versions sqlbase.exe and sqlconn.exe since they are sitting on your desktop. Is the issue these keep reappearing on the infected devices? Also submit sqlservr.exe on one of these devices with issues to VirusTotal for a scan. Edited June 12, 2021 by itman Link to comment Share on other sites More sharing options...
kamiran.asia 5 Posted June 12, 2021 Author Share Posted June 12, 2021 5 hours ago, itman said: What about sqlbase.exe since this is the malicious parent process? Does that show in SysInspector? BTW - I believe a malicious sqlbase engine was installed. Also it appears you found the malicious versions sqlbase.exe and sqlconn.exe since they are sitting on your desktop. Is the issue these keep reappearing on the infected devices? Also submit sqlservr.exe on one of these devices with issues to VirusTotal for a scan. The Screenshot is for the system in our test system. in SQL server we just see that ESET block hxxp://dl.love-network.cc/SqlBase.exe it means that C:\ProgramFiles\MicrosoftSQLServer\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe are downloading hxxp://dl.love-network.cc/SqlBase.exe and ESET will block it. We are searching for the source of these commands. Link to comment Share on other sites More sharing options...
itman 1,758 Posted June 12, 2021 Share Posted June 12, 2021 (edited) 23 hours ago, kamiran.asia said: it means that C:\ProgramFiles\MicrosoftSQLServer\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe are downloading hxxp://dl.love-network.cc/SqlBase.exe and ESET will block it. You might want to refer to this article: Quote The Mrbminer investigation begins with the Microsoft SQL Server (sqlservr.exe) process launching a file called assm.exe, a downloader Trojan. The assm.exe program downloads the cryptominer payload from a web server, then connects to its command-and-control server to report the successful download and execution of the miner. Also of note: Quote While our records don’t reveal exactly how the malware gained a foothold on the database servers, it stands to reason the attackers may have used similar techniques as the MyKings, Lemon_Duck, or Kingminer miners, whose attack methods we have documented in previous articles. https://www.sophos.com/en-us/press-office/press-releases/2021/01/sophos-identifies-source-of-mrbminer-attacks-targeting-database-servers.aspx -EDIT- In regards to the above "similar techniques" referenced is all employed some form of brute force attack element against the server and/or exploiting of system vulnerabilities. Since it appears sqlserver.exe in your situation is directly initiating the Trojan download attempt, I assume some type of code injection is being performed against it. Again, this assumes that sqlserver.exe is a legit Windows file. Or if the server has been compromised and accessible to the attacker, any method he chooses to initiate further malicious download activities. Edited June 13, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts