MnuBot Bank Trojans Use Microsoft SQL Server as C&C Server

SquirtDanger

The IBM X-Force research team discovered a new banking Trojan based on Delphi, a well-known rapid application development tool for the Windows platform. The bank Trojan was named MnuBot Bank Trojan. What drew the attention of the IBM X-Force research team was its unusual command and control (C&C) server.

For most bank Trojans or other types of malware, they use a C&C server to communicate with malware and send commands to be executed. Generally, a C&C server will be based on some form of a Web server or Internet Relay Chat (IRC) channel.

However, the MnuBot Bank Trojan seems to be somewhat unique at this point. It chose to use the Microsoft SQL Server database server to communicate with the samples and send commands to be executed on the infected host.

MnuBot is built from two basic components, each representing a different stage of the attack process. In the first stage, MnuBot looks for a file called Desk.txt in the AppData Roaming folder.

Depending on whether the file exists, MnuBot does the following:

  • If the file doesn’t exist, MnuBot creates the file, creates a new desktop and switches the user workspace to that newly created desktop. This desktop runs side by side to the legitimate user desktop.
  • If the file exists, MnuBot does nothing.

Using the Desk.txt file, MnuBot can know which desktop is running. Therefore, if the file exists, MnuBot can be clear that its current instance is running on the new desktop.

MnuBot connects to the C&C server for initial configuration. To connect to the server, MnuBot requires the details of the SQL Server database server (server address, port, username, and password), which is hard-coded in the example.

It is worth mentioning that this information is stored in an encrypted form and is dynamically decrypted before the connection to the server is initiated.

“It is most likely that MnuBot authors wanted to try to evade regular AV detection, which is based on the malware traffic. To do so they tried to wrap their malicious network communication using seemingly innocent MS SQL traffic. MnuBot is an excellent example of many malware families in the Brazilian region. It holds many characteristics that are typical of other recently discovered malware strains. For example, the overlaying forms and the new desktop creation are well-known techniques that malware authors in the region use today.”