Proofpoint uncovers malware delivery service for hire

Proofpoint Inc.

By Dylan Bushell-Embling
Monday, 30 September, 2019

Proofpoint uncovers malware delivery service for hire

Cybercriminals are using a new method of exploiting Microsoft Office macros and SQL commands to retrieve and install malware, according to Proofpoint.

The security company’s researchers have uncovered a new staged malware downloader they have named WhiteShadow, which appears to be operated as a malware delivery service for hire.

According to Proofpoint, WhiteShadow operates by using macros embedded in malicious document attachments to execute SQL queries against attacker-controlled Microsoft SQL Server databases.

The malware is stored as long ASCII-encoded strings within the SQL database. The macro decodes the string and writes it to disk as a PKZip archive of a Windows executable.

Once extracted by the macro, the executable is run on the system to start installing malware based on specifications within the script configuration stored in the malicious documents.

While early campaigns using WhiteShadow were used to distribute the known Crimson RAT (remote access trojan) malware, Proofpoint has uncovered no evidence tying this round of malware distribution with the culprits behind previous Crimson campaigns.

Instead, the downloader has been observed being used to install other RATs, downloaders and keyloggers, which could suggest that it is being offered as a new malware delivery service for a range of potential threat actors to incorporate into their campaigns.

To guard against the risk of attack, Proofpoint is urging organisations to be cognisant of both the incoming malicious email and outbound traffic on TCP port 1433, which the company said should be blocked — or at least restricted — on modern firewall access control list configurations.

Image courtesy Proofpoint.

Related News

Ransomware gangs consecutively attacking

Three prominent ransomware gangs have adopted a combined approach that sees consecutive attacks...

Companies rethinking security strategies for hybrid

Organisations are increasing investments in technologies that allow them to provide a simpler,...

Aussie orgs still struggling to identify cyber risk

New research from Trend Micro has revealed that 48% of Australian organisations feel their cyber...

  • All content Copyright © 2022 Westwick-Farrow Pty Ltd