Microsoft warned Tuesday that it had recently detected a malicious campaign against SQL Servers. It uses a PowerShell binary built into the system to ensure persistence on compromised systems.
The ultimate objectives of this campaign and the identity of its threat actor are not known. Microsoft is tracking the malware under the name “SuspSQLUsage. “
The sqlps.exe utility is included by default in all SQL Server versions. It allows an SQL Agent, a Windows service that runs scheduled tasks, to execute PowerShell jobs.
“The attackers achieve fileless persistence by spawning the sqlps.exe utility, a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and change the start mode of the SQL service to LocalSystem,” Microsoft noted.
Additionally, the attackers have also been observed using the same module to create a new account with sysadmin role, effectively making it possible to seize control over the SQL Server.
This is not the first time threat actors have weaponized legitimate binaries already present in an environment, a technique called living-off-the-land (LotL), to achieve their nefarious goals.
An advantage offered by such attacks is that they tend to be fileless because they do not leave any artifacts behind and the activities are less likely to be flagged by antivirus software owing to them using trusted software.
The idea is to allow the attacker to blend in with regular network activity and normal administrative tasks, while remaining hidden for extended periods of time.
“The use of this uncommon living-off-the-land binary (LOLBin) highlights the importance of gaining full visibility into the runtime behavior of scripts in order to expose malicious code,” Microsoft said.