# New WhiteShadow downloader uses Microsoft SQL to retrieve malware **[proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware](https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware)** September 26, 2019 ----- [Blog](https://www.proofpoint.com/us/blog) [Threat Insight](https://www.proofpoint.com/us/blog/threat-insight) New WhiteShadow downloader uses Microsoft SQL to retrieve malware ----- September 26, 2019 Bryan Campbell and Jeremy Hedges with the Proofpoint Threat Insight Team ## Overview While not a new development, the use of Microsoft SQL queries to retrieve next-stage payloads has been relatively rare as a form of malware distribution. In August 2019, however, Proofpoint researchers encountered new Microsoft Office macros, which collectively act as a staged downloader that we dubbed “WhiteShadow.” Since the first observed occurrence of WhiteShadow in a small campaign leading to infection with an instance of Crimson RAT, we have observed the introduction of detection evasion techniques. These changes include ordering of various lines of code as well as certain basic obfuscation attempts. In August 2019, the macros that make up WhiteShadow appeared in English-language cleartext. The only observed obfuscation technique was in the simple case altering of strings such as “Full_fILE” or “rUN_pATH.” In early September, we observed slight misspellings of certain variables such as **“ShellAppzz.Namespace(Unzz).” Mid-September brought another change in macro code using reversed** strings such as “StrReverse("piz.Updates\stnemucoD\")”. The most recently observed versions of the WhiteShadow macros contain long randomized text strings such as **“skjfhskfhksfhksfhksjfh1223sfsdf.eDrAerTerAererer”. Overall, the macro code still remains mostly human** readable, with the same functionality as previously observed. When recipients open malicious document attachments in these campaigns and activate macros, WhiteShadow operates by executing SQL queries against attacker-controlled Microsoft SQL Server databases. The malware is stored as long strings that are ASCII-encoded within the database. Once retrieved, the macro decodes the string and writes it to disk as a PKZip archive of a Windows executable. Once extracted by the macro, the executable is run on the system to start installing malware, which is determined by the actor based on the script configuration stored in the malicious Microsoft Office attachments. Early campaigns delivered Crimson malware, which has historically been linked to specific actor activity. However, Proofpoint researchers currently have no evidence tying this current round of malware distribution with previous Crimson campaigns [1]. ## Campaigns In August 2019, Proofpoint researchers began observing a series of malicious email campaigns distributing Microsoft Word and Microsoft Excel attachments containing the WhiteShadow downloader Visual Basic macro (Figure 1). ----- _Figure 1: A malicious email from a threat actor containing Microsoft Word attachments that, when opened, will_ _execute Visual Basic macros that collectively comprise the WhiteShadow downloader. WhiteShadow then_ _installs additional malware._ It appears that WhiteShadow is one component of a malware delivery service, which includes a rented instance of Microsoft SQL Server to host payloads retrieved by the downloader. The following chart is a chronology of campaigns, relative message volume, and payload summary since we first observed WhiteShadow in the wild. **Date** **Relative** **Volume** **Geo/Language** **Attachment Type** **Payload** 8/26/2019 Low AU/English Excel Document Crimson 8/29/2019 Low AU/English Excel Document Crimson ----- 9/29/4/2019 Low AU, UK, China/English Word and Excel Documents Nanocore, njRAT, AgentTesla, Crimson 9/9/2019 Low Chinese Word Document Crimson 9/12/2019 Low UK/English Word Document Crimson 9/169/18/2019 9/169/17/2019 9/179/18/2019 Medium US/English Excel Document AZORrult Low English Excel Document Formbook Low US/English Excel Document Nanocore 9/20/2019 Low English Excel Document Nanocore 9/20/2019 Low English Excel Document Crimson 9/24/2019 Low US/English Word Document Crimson _Table 1: Chronology and relative volume of August and September 2019 WhiteShadow campaigns._ ## Downloader Analysis WhiteShadow uses a SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute a query, and save the results to a file in the form of a zipped executable. The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office. Once the connector is installed on the system, it can be used by various parts of the Windows subsystem and by Visual Basic scripts including macros in Microsoft Office documents. We have observed several malware strains downloaded in this manner by WhiteShadow: Agent Tesla AZORult Crimson Nanocore njRat Orion Logger Remcos Formbook The malware infection occurs in the following sequence: A user enables macros in a document or spreadsheet The macro reaches out to a Microsoft SQL server and pulls an ASCII string from the ‘Byte_data’ column in the database table specified by a hardcoded ‘Id_No’ in the macro ----- The Macro decodes the ASCII string and writes the data to a file in binary mode Pseudo Format: .... See figures 3 and 4 for examples of the macro code that splits the data into an array before writing it to disk The file type of the decoded files have always been a ZIP to date, with a single executable inside The macro will then extract the executable from the ZIP and run it. The executable will be one of the malware payloads documented above The sequence is illustrated in Figure 2: ----- _Figure 2. Illustration of WhiteShadow downloader and malware infection sequence._ ----- _Figure 3. Sample code from WhiteShadow script with data decoding routine for array splitting using separator_ _value of ‘!’._ _Figure 4. Sample code from WhiteShadow script with data decoding routine for array splitting using separator_ _value of ‘,’._ _Figure 5: ASCII representation of the ‘encoded’ PKZIP file before written to disk, line breaks added for_ _comparison to Figure 6_ ----- _Figure 6: Hex editor representation of the decoded PKZIP file as written to disk._ We have observed multiple databases all hosted on a subdomain of mssql.somee[.]com: **antinio.mssql.somee[.]com** **bytesdata.mssql.somee[.]com** **fabancho.mssql.somee[.]com** In each of the databases, the data that was being accessed by WhiteShadow was stored in a table called ‘Data,’ which always contained three columns: 1. Id_No ; A Primary Key ‘int’ identifier for the payload 2. Byte_data ; an encoded ASCII representation of the payload data 3. Net_ver ; This is likely a ‘customer’ identifier or versioning string for the payload Proofpoint researchers have observed rows being added, removed, and in rare cases, updated in these databases. Proofpoint researchers also noticed similarities in some cases with the data in the ‘Net_Ver’ column and Affiliate/Group structures in some of the malware that was being dropped relative to a specific ‘Id_No’; ### Examples: **DB Subdomain** **DB ‘Id_No’** **DB ‘Net_ver’** **Malware Config Affiliate** **Malware Family** antinio 7 Del ec DEL AEC V2 Crimson bytesdata 4 jay2 JAY_V2 Crimson bytesdata 9 oncode oncode_Ver:1 Crimson fabancho 2 oncode Oncode-2 Crimson _Table 2: Illustration of how the Net_ver identifier column corresponds with the associated configured malware_ _identifier_ It should be noted that bytesdata’s Id_No ‘4’ was first identified as Nanocore, but was updated two days later to be Crimson, where the Net_ver was updated from ‘jay’ to ‘jay2’ We also observed similarities between multiple MSSQL hosts, suggesting they are likely managed by the same actor: **bytesdata.mssql.somee[.]com -> Id_No: 9; Net_Ver: oncode** **fabancho.mssql.somee[.]com -> Id_No: 2; Net_Ver: oncode** **fabancho.mssql.somee[.]com -> Id_No: 2; Net_Ver: nano oncode** ----- In addition to the Net_ver similarities (likely customer similarities, or perhaps repeat customers), it is clear that there is table schema reuse between the multiple databases which indicate the underlying architecture for these multiple databases are in fact related. ## Payload Analysis While analyzing the various payloads hosted in the database, we discovered one family of malware in particular - Crimson - that had several updates since our last analysis of the malware [2]. Updated commands are listed below: **cownar:** Adds an executable to Environment.SpecialFolder.CommonApplicationData\\%install_folder%\\updates\\ and executes it via Process.Start(exe_path); **cscreen:** Captures a JPEG format screenshot of the infected machine and sends it to the C&C using the C&C response command: capScreen **getavs:** This is similar to the previously documented 'procl' command; it creates a concatenated string of processes with a format similar to: >%process-id%>%process_module_name%>< for each process running on the system, enumerated via: Process[] processes = Process.GetProcesses(); **putsrt:** The input to this function is a string and it compares the string to the current running process executable path. If that path is different, it 'moves' the executable via: File.WriteAllBytes(text, File.ReadAllBytes(executablePath)); It will then install the modified path into the common ‘CurrentVersion AutoRun’ registry key: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run The remaining non-Crimson samples appeared to be largely the same as those currently documented and observed in the current threat landscape. ## Conclusion Although not a new development, the use of MSSQL queries to retrieve next-stage payloads is unusual in the wild. In late August 2019, Proofpoint researchers encountered a new staged downloader which uses this uncommon method and named it “WhiteShadow”. More importantly, this appears to be a new malware delivery service, allowing a range of threat actors to potentially incorporate the downloader and associated Microsoft SQL Server infrastructure into their attacks. We have observed actors using WhiteShadow to install RATs, downloaders, and keyloggers including Agent Tesla, AZORult, Crimson, and others. Organizations need to be ----- cognizant of both the incoming malicious email and outbound traffic on TCP port 1433 which should be blocked or at least restricted on modern ACL configurations in firewalls today. Currently, these campaigns are relatively small, with message volumes in the hundreds and thousands, but we will continue to monitor associated trends. ## References [[1]https://unit42.paloaltonetworks.com/tag/subaat/](https://unit42.paloaltonetworks.com/tag/subaat/) [[2]https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf](https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf) **Indicators of Compromise (IOCs)** **IOC** **IOC Type** **Description** antinio.mssql.somee[.]com hostname Dropper Next Stage BytesData.mssql.somee[.]com hostname Dropper Next Stage fabancho.mssql.somee[.]com hostname Dropper Next Stage 2cf21ddd9d369a2c88238606c5f84661cf0f62054e5cc44d65679834b166a931 SHA256 WhiteShadow Maldoc ed8f4a7f09e428ceff8ede26102bb153b477b20775a0183be4ca2185999d20c8 SHA256 WhiteShadow Maldoc 539087ebb1d42c81c3be48705d153d75df550c047cf1056721f68724b78b73b7 SHA256 WhiteShadow Maldoc dc90b12b71c4f8c08a789a5ec86ef9b05189d499c887f558f35eeb5e472551a0 SHA256 WhiteShadow Maldoc fc068dda0efdaaa003c87bccd1880bc8953f18c2a8f1f0527a9a44e637e1fcce SHA256 WhiteShadow Maldoc a710a685bb4fbace08e26e32a8bb8a58665973cd802a3df2cb28581c287446e5 SHA256 WhiteShadow Maldoc 9cd62748e7be536f9bfb46493fc9704a93e4e4bcb38ef193b5d66e4a875756bc SHA256 WhiteShadow Maldoc 95dbabe512ba4fc45e32786e87c292fb665e18bc0e2fea1cadb43ba1fe93f13b SHA256 WhiteShadow Maldoc ----- a6a6b8c7cb72dd2670b6171576bc20c2f28198df12907b4d3ce010dcd97358e4 SHA256 WhiteShadow Maldoc 67d0347b8db05a7115d89507394760f41419e5e91ab88be50e27eded28ce503e SHA256 WhiteShadow Maldoc 7b672eb80041a04f49198b1b51bcf0198321a1bdc1f7c56434c2320edb53fc43 SHA256 WhiteShadow Maldoc acf9c1dda4a2076f0d503450db348ae2913345ebd134a3701baa2ff5ebaccd6e SHA256 WhiteShadow Maldoc fe88d40c56274a38ecd3a7178ac96970dd473c7ef3d0f54b5c8819f0b1fa41c3 SHA256 WhiteShadow Maldoc hxxp[://]rebrand[.]ly/813ed538169eeeethczfz2346577777777788kfvmdkf URL Short URL Leading to WhiteShadow hxxp[://]rebrand[.]ly/purchaseorder54326 URL Short URL Leading to WhiteShadow 35e81258c4365fb97ae57f3989164ed4e8b8e62668af9d281a57c5e7a70c288c SHA256 WhiteShadow Maldoc c5193ba871414448c78cb516dfea622f2dbafa6bacb64e9d42c1769ebd4ffea3 SHA256 WhiteShadow Maldoc b2c0b1535518321fbcde2c9d80f222e9477053e6ee505f2dd3b680277f80de1d SHA256 WhiteShadow Maldoc 9a284b1ca8ac7fee1f8823d2457c935134ec61368ef42c8b2cbdfb338ad61ad7 SHA256 WhiteShadow Maldoc 29fe2bdf25d1739bb920c0776b1826661e8a459af44d1051faf08f3643d84d29 SHA256 WhiteShadow Maldoc fcc8802b49bfb86d0cffb1cbc4f1b283887015b7da2263f9165a28f1b0f63f47 SHA256 Crimson 193.111.155[.]137 IPv4 Crimson C&C c966830092abeb5ecb6747122b5c5d63dff064828b84e10a682770763e348713 SHA256 Nanocore 51.254.228[.]144 IPv4 Nanocore C&C ----- 0df01a9e8ad097d6c2b48515497f12bfe9aaa29a3b1c509a0ae1e2a12a162f04 SHA256 Nanocore jasoncarlosscot.dynu[.]net hostname Nanocore C&C (resolved to 79.134.225[.]77) a7832e35fe571abed0a70b49c043e0fedb7fba28e6c212b6bbaa8fd4075c5f43 SHA256 Formbook www.allixanes[.]com/ez3/ URL Formbook C&C 0e54bf9380d40d34e6a3029b6e2357f4af1738968646fdaa0c369a6700e158f4 SHA256 AZORult tslserv.duckdns[.]org hostname AZORult C&C over HTTP (resolved to 102.165.49[.]69) bargainhoundblog[.]com hostname Expanded rebrandly URL hostname. Likely compromised. 17742a3ca746f7f13aff1342068b2b78df413f0c9cd6cdd02d6df7699874a13a SHA256 Crimson 176.107.177[.]54 IPv4 Crimson C&C globedigitalmedia[.]com hostname Expanded rebrandly URL hostname. Likely compromised. ab962b7b932cb3478770c55a656baa657f9c58ea2409c89b68b5a7728ea721f8 SHA256 Crimson d89772cfd63f7d5ce7c6740c6709ece4db624c85989e8d508c09f1baeef0a556 SHA256 Crimson 139.28.36[.]212 IPv4 Crimson C&C 64c5d3f729d9a1ec26d5686002ccb0111ee9ba6a6a8e7da6ad31251f5d5dde6a SHA256 Agent Tesla 76e0104aa6c3a0cfc25c6f844edbbeed4e934e2ad21a56e8243f604f510cf723 SHA256 njRAT 139.28.36[.]212 IPv4 njRAT C&C 6a2acd6b97ce811ebf3d154c47b53cd16c500e075c3218e8628bf49f8d7cafe5 SHA256 Nanocore 45.92.156[.]76 IPv4 Nanocore C&C ----- 96e274f1cb5f6918e6a24b714f7cbf2d3d007680050a16ba5232c67582ad0f3b SHA256 Crimson 2ea787dfd65b0488b76b0a0a69ff2a632bb3bea3735ad007336b8dd1473f5768 SHA256 Crimson 192.3.157[.]104 IPv4 Crimson C&C a9898d6d9054f301d0da9373b8cc38641d11c8409a1037112970aa47122561ff SHA256 Crimson 5ff5817e325c78a1a706035811bfb976421222c208a7fce694a25bb609a9a2fb SHA256 Crimson 176.107.177[.]77 IPv4 Crimson C&C 0c1623662a7ad222ed753b9ffc0d85912e3a075c348b752b671a0b1c755fd1e7 SHA256 Crimson 193.228.53[.]0 IPv4 Crimson C&C 4c487ba8dfded5d050d01ab656ef3916c5269551e51ed60f9cfa5995f55e3264 SHA256 njRAT mundial2018.duckdns[.]org hostname njRAT C&C (resolved to 46.246.85[.]129) d2158cfd1bb9116a04dcb919fa35402d64b9e9b39a9c6cd57460ca113cde488e SHA256 Orion Logger 0943a968cc9e00f83c0bb44685c67890c59ad7785db7fc12e9a0de8df309cbfa SHA256 Crimson 185.157.79[.]115 IPv4 Crimson C&C a40987639b464c2d7864faa0cc84da7f996feecc7a7f0225a474e282d2d81c37 SHA256 Crimson 542c6ed8e77987ca01152784a38ab4d288a959d7e2144989ae7f1eb89866d65b SHA256 Agent Tesla a8e0c6387dd77500a0593c0c26ba3b1e72b9bce200c232d7dcc1f2e75a449512 SHA256 Crimson 98d5fc49a5153cd8035ca0e83cf46a81dd573c175884821473aa4d07f719031f SHA256 Crimson dfea73a64bcb2aeab104dd3d78b83c859c4319be08a8da4edf77cc631bbdd623 SHA256 Crimson 07aa897c146f9443876930f1b69807ec7034a73a93dec0dc36157f17dedd3069 SHA256 Crimson f6ffbd8762b893aa9d7907917ee0b11457fbdbf37f4aacdf8d1d4a4f7f3badca SHA256 Crimson 87.247.155[.]111 IPv4 Crimson C&C ----- a2b5168fb4b6a18d66571c6debc54f9f462f5b05a82313123feecc96dab0e595 SHA256 Netwire halwachi50.mymediapc[.]net hostname Netwire C&C (resolved to 45.138.172[.]161) robinmmadi.servehumour[.]com hostname Netwire C&C (resolved to 45.138.172[.]161) bde269bf69582312c1ec76090991e7369e11dbee47a153af53e49528c8bd1b27 SHA256 Crimson 185.161.209[.]183 IPv4 Crimson C&C bd7abfaa0d3b1d315c2565c83c1003c229c700176c894752df11e6ecae7ad7e6 SHA256 Crimson 185.161.210[.]111 IPv4 Crimson C&C 4738c2849f2c81dec71427adaed489a84299563da31b62ce5489b84c95426ada SHA256 Crimson ee0f3eb8a4d7c87a4c33a1f8b08e78bb95fa7ee41ddf0b07d9b6eabe87a33b2e SHA256 Remcos naddyto.warzonedns[.]com hostname Remcos C&C 4b554367f8069f64201418cddcec82d7857dcc2573be7f0fb387c1b4802040b6 SHA256 Formbook www.scaker[.]com hostname Formbook C&C over HTTP **ET and ETPRO Suricata/Snort Signatures** 2013410 ET POLICY Outbound MSSQL Connection to Standard port (1433) 2814263 ETPRO TROJAN MSIL/Crimson C&C Server Command (info) 2832108 ETPRO TROJAN MSIL/Crimson Client Command (info) 2832107 ETPRO TROJAN MSIL/Crimson Receiving Command (getavs) 2816280 ETPRO TROJAN MSIL/Crimson Receiving Command (ping) 2815463 ETPRO TROJAN Win32/Megalodon/AgentTesla Conn Check 2837782 ETPRO TROJAN Win32/Origin Logger SMTP Exfil 2816766 ETPRO TROJAN NanoCore RAT C&C 7 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 ----- 2816718 ETPRO TROJAN NanoCore RAT Keep Alive Beacon 2829000 ETPRO TROJAN FormBook C&C Checkin (GET) 2829004 ETPRO TROJAN FormBook C&C Checkin (POST) Subscribe to the Proofpoint Blog -----