A two-stage MySQL-based malware infection uses SQL commands to infiltrate a server, establish a UDF-loaded backdoor, and run a Windows Trojan delivered via that foothold. The operation includes credential brute-forcing, environment discovery, payload deployment, UDF persistence, a cleanup phase, and a separate Trojan with C2 communication and memory-resident behavior. Hashtags: #Silly #Trustwave
Keypoints
- The attack begins with brute-force password guessing against the MySQL server from host X, then relays successful credentials to host Y, enabling initial access.
- Once inside, the bot determines the hosting environment with a command like SHOW VARIABLES LIKE ‘%version_compile_os%’.
- The payload is delivered by creating a table and storing a hex-encoded binary (starting with 0x4D5A) which is written to a .so file (sillyr644_x.so).
- A user-defined function (UDF) named ‘downgota’ is created and linked to the .so, allowing the attacker to execute arbitrary code within the MySQL process context.
- Downgota is invoked with a URL parameter to download and execute hnfsbdg.exe, after which the malicious table and UDF are removed to minimize traces.
- The second stage shifts to Windows, where the downloaded file is renamed, moved to C:Windows, and launched with administrator privileges; a VBS script is used to delete traces and itself later for cleanup.
MITRE Techniques
- [T1110] Brute Force – The attack begins when attackers using host X try to guess the MySQL server’s password using brute-force methods. Quote: “The attack begins when attackers using host X try to guess the MySQL server’s password using brute-force methods.”
- [T1082] System Information Discovery – After login, the bot determines the operating environment with OS details via a query like SHOW VARIABLES LIKE ‘%version_compile_os%’. Quote: “Right after a successful login, the bot proceeds to determine the operating environment where the MySQL server is running. It uses “SHOW VARIABLES LIKE ‘%version_compile_os%’” to retrieve detailed information about the operating system.”
- [T1105] Ingress Tool Transfer – The payload is delivered by dumping a binary to a .so file and downloading an additional executable (hnfsbdg.exe). Quote: “Next, the bot uses the DUMPFILE command to place the malicious payload into a file named ‘sillyr644_x.so’. … then calls with the URL address to download and execute a file named hnfsbdg.exe.”
- [T1027] Obfuscated/Compressed Files and Information – The payload is UPX-packed and the .data sector is packed to obscure analysis. Quote: “the ‘.data’ sector contains packed data. This packing is likely designed to obscure details and complicate the analysis process.”
- [T1543.003] Create or Modify System Process: Windows Service – The Trojan spawns or installs a Windows service to persist and run. Quote: “The main Trojan binary is launched in two modes… The function fragment reveals the already known process names of the created malicious system service…”
- [T1059.005] Visual Basic/VBScript – A VBS script is used to remove the main binary and itself, aiding in cleanup and evasion. Quote: “VBS script designed for removing main binary of the first stage”
- [T1095] Non-Application Layer Protocol – The malware maintains a persistent TCP connection to a remote C2 host over TCP/30222. Quote: “the malware… sustains it continuously… connecting to a remote host via the TCP/30222 port.”
Indicators of Compromise
- [File hash] 264fd307e458a354362de0dac4f6b58f18b8c0c0b58ddbc92b699149fde63a31 — sillyr644_x.so (payload loaded via UDF)
- [File hash] 03db52a7c6ce1ce42ad4ad91f5b4e9305b6207774f4c86dfb0e2e2bdea051b37 — hnfsbdg.exe, SqlXXX.exe (second-stage payloads)
- [VBScript] ed90d9576067ee9bffc212eb9f74813cbf0a0ba3b45ce634fb3ab38a8c217028 — 845.vbs (cleanup script)
- [Domain] vig.nishabig.pro — domain resolved during the attack
- [Domain] rw000167.widhost.net — domain resolved during the attack
- [Port] 30222 — C2/TCP port used for persistent communication