UPDATED 00:26 EDT / MAY 30 2018

INFRA

New form of banking malware leverages Microsoft SQL Server

Security researchers at IBM X-Force have uncovered a new form of banking malware that leverages a remote Microsoft SQL Server to communicate with infected machines.

Dubbed MnuBot, the trojan came to the attention of the researchers because unlike typical malware that directly communicates with a command-and-control server through services such as internet relay chat or direct connections, it uses Microsoft SQL server for C&C communication.

The trojan features two stages. The first infection stage involves a process wherein the trojan checks to see if there’s a file called Desk.txt in the AppData roaming folder on a Windows PC. If one is not found, MnuBot creates the file, creating a new desktop on the infected machine and switches the user to it. Surprisingly, if the file is found, MnuBot does nothing.

Within the newly created desktop, MnuBot checks foreground windows for names that are similar to those of banks it is targeting. When one is found, the second stage kicks in, downloading a remote access trojan virus that provides the hacker with full control over a victim’s machine along with additional functions to assist in the theft of banking data.

“Once the user has an open browsing session to his banking website account and the second stage executable of MnuBot has been download, the cybercriminal can get to work,” the researchers explained. “At this point, they have an open session to the bank from the victim’s machine” that can use MnuBot capabilities. Those include creating browser and desktop screenshots, keylogging, simulating user clicks and keystrokes, and restarting the victim’s machine.

The good news is that as much as the researchers describe the trojan as highly advanced, the attacks so far have been detected targeting only banks in Brazil. That said, as has been seen with numerous forms of malware previously, they often evolve over time to target broader geographical areas.

Image: Starkus01/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.