Security researchers have spotted a new banking trojan named MnuBot that uses some atypical tricks to avoid easy detection on compromised hosts.
Discovered by the IBM security team, this trojan is written in Delphi, and its author is currently spreading it to Brazilian targets only.
But while most Delphi-based malware is generally considered as unsophisticated, MnuBot got the IBM team’s interest due to an odd trick it used to disguise its traffic.
MnuBot is controlled via an MSSQL database
According to Jonathan Lusky, a malware researcher for IBM Security’s Trusteer’s group, this new banking trojan is controlled by crooks via a remote Microsoft SQL (MSSQL) database.
This is somewhat untypical, as most malware operates by pinging remote custom-crafted web servers or web apps, and only in very rare cases does malware actually connects to a database directly.
In a report published earlier today, Lusky says the malware’s source code contains encrypted credentials to connect to a remote MSSQL database.
On a victim’s computer, the malware dynamically decrypts these values just before initializing the connection to the remote server.
All communications between the malware and its C&C server occurs as SQL traffic. This includes queries for new commands, and the commands themselves.
“It is most likely that MnuBot authors wanted to try to evade regular antivirus detection, which is based on the malware traffic,” Lusky explains. “To do so, they decided to wrap their malicious network communication using seemingly innocent Microsoft SQL traffic.”
MnuBot designed by experienced crew
But this design has other…