Q
Manage Learn to apply best practices and optimize your operations.

How does the MnuBot banking Trojan use unusual C&C servers?

IBM X-Force found MnuBot -- a new banking Trojan -- manipulating C&C servers in an unusual way. Learn how this is possible and how this malware differs from those in the past.

IBM X-Force researchers recently found a new banking Trojan called MnuBot that performs illegal banking transactions...

with the help of its unusual command-and-control infrastructure. How does MnuBot work and what's different about its C&C server?

Over the last 20-30 years, attackers have used command-and-control (C&C) servers to manage the systems they've infected. C&C servers offer attackers more flexibility than encoding all of the information directly into the malware.

Early C&C servers used Internet Relay Chat (IRC) channels and may have been controlled by an IRC bot. However, enterprises started to block IRC as it became associated with malware C&C connections, resulting in security tools incorporating functionality to monitor IRC messaging.

As defenders began blocking IRC, attackers began to create their own custom protocols for C&C servers or began using existing protocols, such as Internet Control Message Protocol, in unexpected ways to set up the C&C and encrypt the connections -- some attackers have even started to use steganography and social media as the basis of their C&C servers. Detecting a C&C server and preventing it from communicating can effectively neutralize many instances of malware. C&C systems often use modules that provide different options for the infected endpoint to connect to the server.

IBM X-Force recently discovered MnuBot, a new banking Trojan that uses an unexpected source for its C&C connection: Microsoft SQL Server. MnuBot uses the Microsoft SQL Server database server to store commands and infected systems query Microsoft SQL Server to get the commands. MnuBot malware includes hardcoded access credentials for the C&C database server, and newly infected systems use that information to connect to the server.

Once MnuBot infects the endpoint, it can begin monitoring the system for connections to banking institutions contained in a configuration file. It can then connect to the SQL Server to download the initial configuration and a malicious remote access Trojan.

To complete the attack, MnuBot inserts data into the database with information about the endpoint and what banking systems are used, connects to the bank in the configuration file and tries to run a fraudulent financial transaction via the open banking session.

MnuBot uses hardcoded credentials embedded in the malware to connect to the database server, which makes the server a single point of failure. As long as the server is up, antimalware vendors can analyze the connections.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in October 2018

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What preventative measures does your organization take to keep your servers from being used for a C&C infrastructure?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close