HQ/EMEAFind out how we can help your business
The new CLR SqlShell malware campaign targets poorly managed MS SQL servers to execute cryptocurrency and ransomware attacks.
Based on reports, the malware is like a web shell that threat actors could install on web servers. The malware strain could support various features after its operators install it on an MS SQL server. Some of its confirmed capabilities are executing commands and running malicious behaviour on an infected system.
A stored mechanic is a subroutine that holds a set of Structured Query Language statements for utilise across several programs in a relational database management system. CLR stands for common language runtime placed procedure that has been available in SQL Server from 2005 to and present. These features refer to stored procedures written in a dot net language, such as Visual Basic and C#.
The MS SQL servers are the starting point of the threat actors to install the CLR SqlShell malware.
According to investigations, researchers discovered the attack, in which the threat actors used the CLR stored procedure to install the CLR SqlShell malware in MS SQL servers through the xp_cmdshell command. The command spawns a Windows command shell and prompts an instruction as input for initiation.
Some of the strategies adopted by the malware operators concern exploiting the internet-exposed MS SQL server through the dictionary and brute-force attacks to run xp_cmdshell commands and OLE stored procedures and run the malware. These techniques include those linked with MyKings, LemonDuck, and Vollgar.
The threat actors’ adoption of the CLR stored method is the newest technique for malicious entities to abuse the MS SQL servers. They could leverage the procedure to download SqlShell routines and add more payloads, such as Metasploit and cryptocurrency miners like LoveMiner, MyKings, and MrbMiner.
Furthermore, numerous threat groups have used the SqlShell named CLRSQL, SqlHelper, and CLR_module to elevate their privileges on infected servers and launch additional activities like ransomware and proxy ware. Lastly, the strategies could allow a threat group to incorporate malicious capabilities to execute reconnaissance efforts in targeted networks.
The MS SQL servers are constantly facing new challenges from different threats. Therefore, users and researchers should adopt advanced defence mechanisms to mitigate such threats to these servers.
