Threat Management, Malware

Banking RAT MnuBot leverages Microsoft SQL Server database to target Brazilians

A newly discovered banking malware that's been actively targeting Brazilians behaves as a remote access trojan (RAT) and uses a Microsoft SQL Server database server as an unconventional command-and-control infrastructure.

Dubbed MnuBot, the Delphi-based malware produces web form overlays that either trick victims into entering key bank account information or stall them while cybercriminals hijack the user endpoint and perform illegal transactions. But its capabilities also include creating browser and desktop screenshots, keylogging, simulating user clicks and keystrokes, restarting machines, and uninstalling certain antivirus software, according to a May 29 blog post published by IBM's X-Force research unit.

After the initial infection, MnuBot uses hardcoded and encrypted server details in order to connect to a malicious  Microsoft SQL Server database server and commence the configuration process. Without this configuration, which determines queries and commands that can be performed and banks websites that will be targeted, the malware shuts itself down.

"It is most likely that MnuBot authors wanted to try to evade regular antivirus detection, which is based on the malware traffic. To do so, they decided to wrap their malicious network communication using seemingly innocent Microsoft SQL traffic," explains Jonathan Lusky, blog post author and IBM X-Force malware researcher.

Lusky added that this particular configuration process also allows the cybercriminals behind MnuBot to dynamically change their activity as needed, as well as to stifle researchers by simply removing the server, making it exceedingly difficult to reverse engineer malware samples.

MnuBot's attack takes place over two stages. First, the malware searches the AppData Roaming folder for a file called Desk.txt, which it uses to determine which desktop is running on the infected machine. If the file exists, the malware knows it's running in the current desktop, but if the file is missing, the malware will create a new desktop that runs parallel to the legit desktop, and switch the user to it.

Within the desktop, MnuBot repeatedly checks the foreground window name until it finds a name similar to one of the banks it is programmed to target. At that point, it will query its C&C server for the second-stage executable (saved as C:UsersPublicNeon.exe), which includes the social engineering forms for targeted banks, as well as the RAT capabilities that grant criminals full control over affected machines.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.