Security researchers at IBM X-Force have uncovered a new form of banking malware that leverages a remote Microsoft SQL Server to communicate with infected machines.

Dubbed MnuBot, the trojan came to the attention of the researchers because unlike typical malware that directly communicates with a command-and-control server through services such as internet relay chat or direct connections, it uses Microsoft SQL server for C&C communication.

The trojan features two stages. The first infection stage involves a process wherein the trojan checks to see if there’s a file called Desk.txt in the AppData roaming folder on a Windows PC. If one is not found, MnuBot creates the file, creating a new desktop on the infected machine and switches the user to it. Surprisingly, if the file is found, MnuBot does nothing.

Within the newly created desktop, MnuBot checks foreground windows for names that are similar to those of banks it is targeting. When one is found, the second stage kicks in, downloading a remote access trojan virus that provides the hacker with full control over a victim’s machine along with additional functions to assist in the theft of banking data.

“Once the user has an open browsing session to his banking website account and the second stage executable of MnuBot has been download, the cybercriminal can get to work,” the researchers explained. “At this point, they have an open session to the bank from the victim’s machine” that can use MnuBot capabilities. Those include creating browser and desktop screenshots, keylogging, simulating user clicks and keystrokes, and restarting the victim’s machine.

The good news is that as much as the researchers describe the trojan as highly advanced, the attacks so far have been detected targeting only banks in Brazil. That said, as has been seen with numerous forms of malware previously, they often evolve over time to target broader geographical areas.

Image: Starkus01/Wikimedia Commons