How does the MnuBot banking Trojan use unusual C&C servers?

IBM X-Force researchers recently found a new banking Trojan called MnuBot that performs illegal banking transactions with the help of its unusual command-and-control infrastructure. How does MnuBot work and what's different about its C&C server?

Over the last 20-30 years, attackers have used command-and-control (C&C) servers to manage the systems they've infected. C&C servers offer attackers more flexibility than encoding all of the information directly into the malware.

Early C&C servers used Internet Relay Chat (IRC) channels and may have been controlled by an IRC bot. However, enterprises started to block IRC as it became associated with malware C&C connections, resulting in security tools incorporating functionality to monitor IRC messaging.

As defenders began blocking IRC, attackers began to create their own custom protocols for C&C servers or began using existing protocols, such as Internet Control Message Protocol, in unexpected ways to set up the C&C and encrypt the connections -- some attackers have even started to use steganography and social media as the basis of their C&C servers. Detecting a C&C server and preventing it from communicating can effectively neutralize many instances of malware. C&C systems often use modules that provide different options for the infected endpoint to connect to the server.

IBM X-Force recently discovered MnuBot, a new banking Trojan that uses an unexpected source for its C&C connection: Microsoft SQL Server. MnuBot uses the Microsoft SQL Server database server to store commands and infected systems query Microsoft SQL Server to get the commands. MnuBot malware includes hardcoded access credentials for the C&C database server, and newly infected systems use that information to connect to the server.

Once MnuBot infects the endpoint, it can begin monitoring the system for connections to banking institutions contained in a configuration file. It can then connect to the SQL Server to download the initial configuration and a malicious remote access Trojan.

To complete the attack, MnuBot inserts data into the database with information about the endpoint and what banking systems are used, connects to the bank in the configuration file and tries to run a fraudulent financial transaction via the open banking session.

MnuBot uses hardcoded credentials embedded in the malware to connect to the database server, which makes the server a single point of failure. As long as the server is up, antimalware vendors can analyze the connections.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)