Pierluigi Paganini September 29, 2019

Researchers at Proofpoint have spotted a piece of downloader, dubbed WhiteShadow, that leverages Microsoft SQL queries to pull and deliver malicious payloads. 

In August, malware researchers at Proofpoint spotted a new downloader which is being used to deliver a variety of malware via Microsoft SQL queries. The experts detected new Microsoft Office macros, which collectively act as a staged downloader, and tracked it as WhiteShadow.

Initially the downloader was involved in a small campaign aimed at distributing the Crimson RAT, over the time researchers observed the implementation of detection evasion techniques.

“In August 2019, the macros that make up WhiteShadow appeared in English-language cleartext. The only observed obfuscation technique was in the simple case altering of strings such as “Full_fILE” or “rUN_pATH.” In early September, we observed slight misspellings of certain variables such as “ShellAppzz.Namespace(Unzz).” Mid-September brought another change in macro code using reversed strings such as “StrReverse(“piz.Updates\stnemucoD\”)”.” reads the analysis published by Proofpoint.

“The most recently observed versions of the WhiteShadow macros contain long randomized text strings such as “skjfhskfhksfhksfhksjfh1223sfsdf.eDrAerTerAererer”.”

Experts believe that WhiteShadow is one component of a malware delivery service that includes a rented instance of Microsoft SQL Server to host various payloads retrieved by the downloader. Experts observed the downloader in campaigns spreading Crimson RAT, Agent Tesla, AZORult, and multiple keyloggers.

The macros observed in the campaigns, once enables, execute SQL queries to retrieve the malicious code, stored as ASCII-encoded strings, from Microsoft SQL Server databases controlled by threat actors. 

The result of the query is written to disk as a PKZip archive of a Windows executable. 

“WhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute a query, and save the results to a file in the form of a zipped executable. The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office.” continues the report.

“Once extracted by the macro, the executable is run on the system to start installing malware, which is determined by the actor based on the script configuration stored in the malicious Microsoft Office attachments.”

Proofpoint warns that the Microsoft SQL technique is still a rarity in the threat landscape, but threat actors could increasingly adopt it in future campaigns. 

Pierluigi Paganini

(SecurityAffairs – WhiteShadow, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]