MnuBot Bank Trojans Use Microsoft SQL Server as C&C Server

The IBM X-Force research team discovered a new banking Trojan based on Delphi, a well-known rapid application development tool for the Windows platform. The bank Trojan was named MnuBot Bank Trojan. What drew the attention of the IBM X-Force research team was its unusual command and control (C&C) server.

For most bank Trojans or other types of malware, they use a C&C server to communicate with malware and send commands to be executed. Generally, a C&C server will be based on some form of a Web server or Internet Relay Chat (IRC) channel.

However, the MnuBot Bank Trojan seems to be somewhat unique at this point. It chose to use the Microsoft SQL Server database server to communicate with the samples and send commands to be executed on the infected host.

MnuBot is built from two basic components, each representing a different stage of the attack process. In the first stage, MnuBot looks for a file called Desk.txt in the AppData Roaming folder.

Depending on whether the file exists, MnuBot does the following:

• If the file doesn’t exist, MnuBot creates the file, creates a new desktop and switches the user workspace to that newly created desktop. This desktop runs side by side to the legitimate user desktop.
• If the file exists, MnuBot does nothing.

Using the Desk.txt file, MnuBot can know which desktop is running. Therefore, if the file exists, MnuBot can be clear that its current instance is running on the new desktop.

MnuBot connects to the C&C server for initial configuration. To connect to the server, MnuBot requires the details of the SQL Server database server (server address, port, username, and password), which is hard-coded in the example.

It is worth mentioning that this information is stored in an encrypted form and is dynamically decrypted before the connection to the server is initiated.

“It is most likely that MnuBot authors wanted to try to evade regular AV detection, which is based on the malware traffic. To do so they tried to wrap their malicious network communication using seemingly innocent MS SQL traffic. MnuBot is an excellent example of many malware families in the Brazilian region. It holds many characteristics that are typical of other recently discovered malware strains. For example, the overlaying forms and the new desktop creation are well-known techniques that malware authors in the region use today.”

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.