Proofpoint uncovers malware delivery service for hire

Proofpoint Inc.

By Dylan Bushell-Embling
Monday, 30 September, 2019

Proofpoint uncovers malware delivery service for hire

Cybercriminals are using a new method of exploiting Microsoft Office macros and SQL commands to retrieve and install malware, according to Proofpoint.

The security company’s researchers have uncovered a new staged malware downloader they have named WhiteShadow, which appears to be operated as a malware delivery service for hire.

According to Proofpoint, WhiteShadow operates by using macros embedded in malicious document attachments to execute SQL queries against attacker-controlled Microsoft SQL Server databases.

The malware is stored as long ASCII-encoded strings within the SQL database. The macro decodes the string and writes it to disk as a PKZip archive of a Windows executable.

Once extracted by the macro, the executable is run on the system to start installing malware based on specifications within the script configuration stored in the malicious documents.

While early campaigns using WhiteShadow were used to distribute the known Crimson RAT (remote access trojan) malware, Proofpoint has uncovered no evidence tying this round of malware distribution with the culprits behind previous Crimson campaigns.

Instead, the downloader has been observed being used to install other RATs, downloaders and keyloggers, which could suggest that it is being offered as a new malware delivery service for a range of potential threat actors to incorporate into their campaigns.

To guard against the risk of attack, Proofpoint is urging organisations to be cognisant of both the incoming malicious email and outbound traffic on TCP port 1433, which the company said should be blocked — or at least restricted — on modern firewall access control list configurations.

Image courtesy Proofpoint.

Related News

US issues warrants for five alleged APT41 members

The US Department of Justice has issued warrants for five alleged members of the APT41 cybercrime...

Evolving threat landscape a concern for cybersecurity analysts

A survey by Gartner has found that cybersecurity analysts are concerned about the rapidly...

Gartner: Businesses must balance risk, trust and opportunity

Security and risk leaders have been advised to balance risk, trust and opportunity to help their...

  • All content Copyright © 2020 Westwick-Farrow Pty Ltd