Trojan MnuBot Leverages Microsoft SQL For Evasion, Targets Brazilian Banks

A recently discovered malware named MnuBot functions as a remote access trojan (RAT) and uses Microsoft SQL server database as command and control (C&C) server. The Delphi-based malware attacks in two phases, and appears to combine behaviors of recently discovered malware strains commonly used in Brazil.

[Read: A brief history of notable online banking Trojans]

In Phase 1 of the attack, the malware searches for Desk.txt and does nothing if it finds the file since it means it's running on a new desktop. If the file doesn’t exist, the malware creates a new desktop and switches the user to the new one. Server details are decrypted and used to complete the initial configuration, while MnuBot checks to find a similar name in its configuration of bank names and communicates with the C&C to proceed to the second stage.

Phase 2 of the MnuBot attack involves a RAT that provides the cybercriminal complete control. A web form overlay similar to the real banking website misleads the victim, prompting the user to enter credentials for access. Meanwhile, the cybercriminals can use the stolen credentials to make illegal transactions from their end. Attack and endpoint hijacking capabilities also include:

  • capturing browser and desktop screenshots
  • keylogging
  • clicks and keystrokes simulations
  • machine restart
  • uninstalling antivirus software
  • form overlays
  • social engineered requests for additional information

Research analysts see the masking of malicious network communication as regular MSSQL traffic as a detection evasion technique. The MnuBot developers can also dynamically change the malware’s activity by modifying the configurations directly on the server. This can prevent research analysts from investigating its origins via reverse engineering, as strings in the configuration include shutting the malware or the database server down once the threat actors detect queries on the commands and files.

[Read: Is online banking safe?]

Cybercriminals are developing new techniques to sharpen their fraudulent activities, therefore calling for new and updated security solutions and awareness to protect personal and enterprise data and systems. Here are a few ways to protect your financial transactions:

  • Be careful of requests for sensitive information that can be used as access credentials. Banks do not directly ask for information sent via email. Call the bank directly to confirm requests for information, and look up the bank’s number from a verified source, not the contact numbers stated in suspicious email messages.
  • Be aware of links and websites you visit. Instead of clicking on a link directly from an email, type the URL on a separate window.
  • Regularly download updates from legitimate vendors.
  • Observe your system. If your computer displays new windows and pop-ups without prompt, or experiencing system slowdowns, run your security software scan to make sure your system is not infected.
 [Read: Banking Trojans as a service – Theft made easy in Brazil]

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.