New MS-SQL Server Attack Campaign Leverages GotoHTTP for Remote Access

GotoHTTP
GotoHTTP webpage

Experts from the AhnLab Security Intelligence Center (ASEC) have uncovered new attacks on MS-SQL servers, targeting unsecured accounts and weak passwords. In this malicious campaign, the attackers employed the legitimate remote administration tool GotoHTTP, a tool rarely seen in such operations.

Hackers typically resort to more commonly used tools like AnyDesk, TeamViewer, or AmmyyAdmin. These are also designed for legitimate remote system management, yet nothing prevents cybercriminals from using them for illicit purposes.

In the campaign under analysis, to compromise the MS-SQL server, the attackers initially deployed CLR SqlShell, akin to WebShell for conventional web servers. SqlShell provides access to system commands and control capabilities on the compromised host. Through this tool, the attackers gathered device and network information using commands like “whoami.exe,” “systeminfo.exe,” and “netstat.exe.”

The next phase of the attack involved the deployment of privilege escalation tools such as PetitPotato, SweetPotato, and others from the “Potato” series. These programs allow attackers to bypass low privilege restrictions within the system and gain broader access to management functions. Additionally, in this attack, the hackers created new accounts with passwords designed to ensure future access to the system.

Simultaneously, the attackers installed the GotoHTTP program to gain remote control over the server. Once launched, a configuration file is automatically generated containing the “Computer Id” and “Access Code,” enabling remote control of the infected system. This access allows the attackers full control via a graphical interface.

This case highlights an ongoing trend in cybercriminal activities: the use of existing legitimate utilities rather than creating custom malware from scratch or renting software under the MaaS model. Moreover, legitimate software helps attackers bypass security measures, as antivirus programs do not flag tools like AnyDesk, which is frequently used by administrators for lawful remote system management.

The primary targets of such MS-SQL server attacks are systems with weak passwords, enabling attackers to perform brute-force or dictionary attacks. Experts recommend the use of complex, frequently changed passwords and the regular updating of antivirus solutions to their latest versions. Additional protection can be achieved by restricting access to servers through firewalls and other security measures.

Given the increasing number of attacks on vulnerable MS-SQL servers, administrators are advised to closely monitor system security and implement every possible measure to strengthen protection.

Related Posts: