Proofpoint uncovers malware delivery service for hire

Cybercriminals are using a new method of exploiting Microsoft Office macros and SQL commands to retrieve and install malware, according to Proofpoint.

The security company’s researchers have uncovered a new staged malware downloader they have named WhiteShadow, which appears to be operated as a malware delivery service for hire.

According to Proofpoint, WhiteShadow operates by using macros embedded in malicious document attachments to execute SQL queries against attacker-controlled Microsoft SQL Server databases.

The malware is stored as long ASCII-encoded strings within the SQL database. The macro decodes the string and writes it to disk as a PKZip archive of a Windows executable.

Once extracted by the macro, the executable is run on the system to start installing malware based on specifications within the script configuration stored in the malicious documents.

While early campaigns using WhiteShadow were used to distribute the known Crimson RAT (remote access trojan) malware, Proofpoint has uncovered no evidence tying this round of malware distribution with the culprits behind previous Crimson campaigns.

Instead, the downloader has been observed being used to install other RATs, downloaders and keyloggers, which could suggest that it is being offered as a new malware delivery service for a range of potential threat actors to incorporate into their campaigns.

To guard against the risk of attack, Proofpoint is urging organisations to be cognisant of both the incoming malicious email and outbound traffic on TCP port 1433, which the company said should be blocked — or at least restricted — on modern firewall access control list configurations.

Image courtesy Proofpoint.