{"id":87753,"date":"2019-05-28T11:31:42","date_gmt":"2019-05-28T06:01:42","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=87753"},"modified":"2019-05-30T11:43:45","modified_gmt":"2019-05-30T06:13:45","slug":"apt-27-like-newcore-rat-virut-exploiting-mysql-targeted-attacks-enterprise","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/apt-27-like-newcore-rat-virut-exploiting-mysql-targeted-attacks-enterprise\/","title":{"rendered":"APT-27 like Newcore RAT, Virut exploiting MySQL for targeted attacks on enterprise"},"content":{"rendered":"

In today\u2019s world data is everything, and to store and process this large amount of data, everyone started using computing devices. Database servers which are used for storing this precious data on computing devices include MySQL, MongoDB, MSSQL, etc. But\u00a0unfortunately, not everyone is conscious about its security. In fact, approximately 90% of these applications have credentials like root:root, scott:tiger. In some cases, we observed people even don\u2019t use credential for database server\u2019s root account.<\/p>\n

As cloud services are commonly used by enterprises\u00a0, these services are equally used by attacker to attack on vulnerable devices by running bots and C&C on cloud servers. Many cloud service providers are providing free cloud service for one year, with public IP which helps attacker to stay hidden and change infrastructure easily. For e.g. google cloud, AWS etc.<\/p>\n

To attack any enterprise, attacker need to identify a vulnerability in enterprise network. We observed \u00a0generally, enterprises patches all vulnerabilities related to OS, but they use server machine running MySQL on pubic IP. MySQL server run as a service, so it runs with system privilege. If attacker enters into the network using MySQL, then it executes with system privilege, so it can access everything on infected host without any vulnerability.<\/p>\n

\"\"<\/p>\n

Fig. 1 Worldwide MySQL servers on public ip<\/p>\n

 <\/p>\n

\"\"<\/p>\n

Fig. 2 MySQL server accessible on public ip from india<\/p>\n

We observed approx. 15000attacks in our honeypot network targeting MySQL Database. Most of these attacks are from Germany ( 34% of total attacks identified), and rest are originating from different countries like United States, France, China, Poland and Russia.<\/p>\n

\"\"<\/p>\n

Fig. 3 MySQL attacker location<\/p>\n

We observed that, attackers are \u00a0mostly using two approaches \u2013 #1 They try to get an entry into database server, drop existing tables and insert a ransom note as blob in a newly created table#2. In the second attack approach, they use MySQL as entrance into Linux or Windows system and then drop a backdoor, miner or ransomware into the victim host. For this they take advantage of com compatibility feature of MySQL.<\/p>\n

As per our observation attacker is authenticating to MySQL with default credential like scott:tiger, root or it will try 10000 well known passwords. Also, they use sql injection on web application for executing sql queries. I some cases, we found use of webshell. Also, there is one serious Authentication bypass vulnerability (CVE-2012-2122) present for MySQL server 5.1.X by which attacker take access of server without any credential. Now once attacker gets access to MySQL database, it can do anything. It can manipulate your data, delete it or steal it. But MySQL doesn\u2019t understand windows api function like CreateProcess or UrlToDownloadFile. For this attacker\u2019s are using one solution i.e. MySQL\u2019s user-defined<\/a> function. User can write their own user-defined function which can be used in MySQL, by default MySQL have avg, sum etc. pre-build functions.<\/p>\n

In some cases attacker uses hidden database in MySQL i.e. \u201cMySQL\u201d in this database creates one table with one column of blob type. It then inserts one dll in hex format. We can dump MySQL table into physical file in any location using dumpfile function. So now, attacker uses trigger or select query to dump this dll as physical file in plugins folder of MySQL. This dll contains definition for user-defined function; now attacker can use their own user-defined functions in MySQL.<\/p>\n

Generally they use function for download file from URL and execute them on infected server. Every application executed by mysqld.exe will run with system privilege. They evade detections and can be used to launch file-less malware attacks. It uses following query to insert dll file as blob in hex format and then dump it using \u201cinto DUMPFILE\u201d.<\/p>\n

insert into yongger3 values (“0x4D \u201c);<\/p>\n

\u2018select data from yongger3 into DUMPFILE “‘,@@plugin_dir,’\\\\udf33.dll”‘<\/p>\n

Also, it can drop pe file directly with select statement without inserting it into MySQL table.<\/p>\n

\"\"
\nFig. 4 MySQL commands executed by attacker.<\/p>\n

List of Functions defined in user-defined dll of attacker:<\/p>\n

    \n
  1. KillProcess<\/li>\n
  2. ProcessView<\/li>\n
  3. About<\/li>\n
  4. Backshell<\/li>\n
  5. Cmdshell<\/li>\n
  6. Downloader<\/li>\n
  7. open3389<\/li>\n
  8. regread<\/li>\n
  9. regwrite<\/li>\n
  10. shut<\/li>\n
  11. shell<\/li>\n
  12. cmdshelv<\/li>\n
  13. xpdl3<\/li>\n<\/ol>\n

    To use above user defined function from dll in MySQL, attacker first need to create this function in MySQL for which they use query like:<\/p>\n

    CREATE FUNCTION cmdshell RETURNS string SONAME ‘xsa.dll’<\/p>\n

    Where cmdshell is user-defined function used to execute commands like terminal. xsa.dll is attacker\u2019s dll dropped into plugin folder containing definition of user defined function. For Linux machines, instead of dll attacker uses .so files.<\/p>\n

    To execute this function attacker uses select query like:<\/p>\n

    select cmdshell(“cmd.exe cmd\/c net user xiaoshage xiaoshage1 \/add&net localgroup administrators xiaoshage \/add”)<\/p>\n

    In above query attacker used cmdshell function to execute cmd.exe with net command. This command creates xiaoshage user and adds it to administrator group. In most of cases, MySQL is installed on domain admin server, so this account can be added to domain admin group and then used to access all machines in network. Also, attacker defined function open3389 where 3389 means tcp port 3389 which is used for rdp access. From MySQL, attacker enables rdp service by adding following registries:<\/p>\n

    \u201cSYSTEM\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\Tds\\\\tcp\u201d<\/p>\n

    Key:\u201cPort number\u201d\u00a0 value :\u201d 0xd3d\u201d(3389)<\/p>\n

    Interestingly, attacker killed multiple services, antivirus program from system using MySQL. They executed cmd.exe and taskkill with cmdshell function as displayed in fig. 2 it can also use Killprocess function which accepts program name and then uses TerminateProcess function with combination of CreateToolhelp32Snapshot, Process32Next and Process32First functions.<\/p>\n

    Attacker killed following processes from victim\u2019s pc using MySQL<\/p>\n\n\n\n\n\n\n
    QQPCTray.exe<\/td>\nNPFMntor.exe<\/td>\nsafedog guard center.exe<\/td>\n<\/tr>\n
    ksafe.exe<\/td>\nrstray.exe<\/td>\nUpdaterUI.exe<\/td>\n<\/tr>\n
    UIHost.exe<\/td>\n360sd.exe<\/td>\nAVP.EXE<\/td>\n<\/tr>\n
    360Tray.exe<\/td>\navfwsvc.exe<\/td>\n360rp.exe<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

     <\/p>\n

     <\/p>\n

    \"\"Fig. 5 MySQL Remote command execution<\/p>\n

    In fig. 5, we can observe network traffic of MySQL, where queries are directly visible which contains queries to terminate process and query service. Also, for each command executed it also receives response and displays it to attacker.<\/p>\n

    Shut function provides definition for pc shutdown and restart. All these functions are executed under MySQL so for victim it\u2019s like mysqld.exe is executing or killing process, adding registry.<\/p>\n

    For Linux MySQL user-defined functions are as follows:<\/p>\n

      \n
    1. sys_eval<\/li>\n
    2. sys_exec<\/li>\n
    3. sys_get<\/li>\n
    4. sys_set<\/li>\n<\/ol>\n

      \"\"Fig. 6 Downloader function definition<\/p>\n

      \"\"Fig. 7 HFS server<\/p>\n

      We observed various malware distributed using MySQL as source this include virut, backdoor, miner.We also received\u00a0NewCore RAT<\/a> sample from APT-27<\/a> I.e GoblinPanda<\/a> attack was hosted on 43.242.75.228<\/strong> hfs server<\/a>,which is using MySQL as initial vector.<\/p>\n

      Ransom note from one of MySQL attack:<\/strong><\/p>\n

      {<\/p>\n

      To recover your lost Database and avoid leaking it: Send us 0.1 Bitcoin<\/p>\n

      (BTC) to our address\u00a0\u2018s7iHwdafANy4ThJc*&******\u2019\u00a0and contact by mail with your IP or\u00a0web\u00a0name\u00a0& payment\u00a0evidence. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. If we don\u2019t receive your payment in the next 10 Days, we will make your database public or use them otherwise.<\/p>\n

      }<\/p>\n

      After dropping database, attacker insert ransom note and ask for ransom. Victim can try to restore data if there ibdata1, log file, .bak and .frm files are present. But it is suggested that in this type of attack, don\u2019t pay ransom as attacker is not reading or taking backup of database so there is no way that they can restore database after payment. Differentiation between malicious and clean database drop activity is not possible, so it\u2019s hard to block this attack by antivirus product.<\/p>\n

      Future attack:<\/strong><\/p>\n

      We think that in future attacker will store c# code in MySQL table and then will create trigger to execute csc.exe in victims\u2019 machine after every 1 hour, to compile this c# code in memory without physical copy.<\/p>\n

      So, there will be no physical copy of malware and it will compile on client-end, so it is hard to detect this file by signature-based approach. Also, they can inject such code into regasm.exe which is genuine utility. Now a days, Hawkeye executes without any physical copy by using CVE-2017-11882, CVE-2017-01999 and CVE-2017-8570, but in future it can use MySQL as source and then for victim it will be like mysqld.exe executes csc.exe which executes regasm.exe.<\/p>\n

      For now, we have seen that MySQL attacks are used for ransom, to intrude victim and also, they drop Virut infector which drops backdoor with IoT capability. It\u2019s hard to detect this attack and attacker can leverage MySQL to infect machine being undetected.<\/p>\n

      Solution:<\/strong><\/p>\n

      Quick Heal has\u00a0UTM<\/a> product.This product includes\u00a0IDS\/IPS<\/a> engine which work on network level. Which means if attacker try to connect to MySQL from remote location and execute malicious query then in network first traffic is received by UTM device. Then these devices contain firewall, Browser protection as well as IDS\/IPS engine. Quick Heal detects malicious MySQL queries using IDS\/IPS engine from UTM Product. Which will block this communication and protect user from MySQL attack.<\/p>\n

      Similarly,\u00a0UTM can also be used for IOT security.<\/p>\n

      \n

      So, we recommend use of UTM<\/a> product at enterprise level to prevent from increasing MySQL attacks.<\/p>\n<\/blockquote>\n

      On endpoint level we block this attack on network level as well as attacks get blocked by our behaviour-based<\/a> detection.<\/p>\n

      IDS\/IPS Detection:<\/b><\/p>\n