ASEC observed attacks against exposed MS-SQL servers that used weak credentials to install JuicyPotato for privilege escalation and deploy the XiebroC2 C2 framework, often alongside CoinMiner. The report includes specific IOCs and configuration details for XiebroC2 such as HostPort, Protocol, ListenerName, and AesKey. #XiebroC2 #JuicyPotato
Keypoints
- Exposed MS-SQL servers with weak or default credentials are being targeted by brute force and dictionary attacks.
- Successful access led to installation attempts of CoinMiner and the privilege-escalation tool JuicyPotato.
- After privilege escalation, attackers downloaded and deployed XiebroC2 via PowerShell to provide backdoor/C2 capabilities.
- XiebroC2 is an open-source, multi-platform implant (written in Go) offering remote control, reverse shells, file/process management, network monitoring, reverse proxy, and screenshots.
- Collected XiebroC2 configuration and system information include PID, HWID, computer name, username, and C2 connection details (HostPort, Protocol, ListenerName, AesKey).
- Provided IOCs include two MD5 hashes, a malicious URL for tee.exe, and an IP address linked to the C2 server.
- Mitigation recommendations: use strong, regularly changed passwords, keep security software updated, and restrict external access to database servers with firewalls.
MITRE Techniques
- [T1110 ] Brute Force – Threat actors used brute force and dictionary attacks against MS-SQL servers to gain access. Quote: ‘The two main types of attacks against MS-SQL servers are brute force and dictionary attacks, usually targeting systems with poorly managed account credentials.’
- [T1059.001 ] PowerShell – XiebroC2 was downloaded using PowerShell after privilege escalation. Quote: ‘After installing JuicyPotato, XiebroC2 was downloaded using PowerShell.’
- [T1068 ] Exploitation for Privilege Escalation (JuicyPotato) – Attackers installed JuicyPotato to escalate privileges from low-privileged MS-SQL process contexts. Quote: ‘After successfully logging in, the threat actor installed JuicyPotato…threat actors often use Potato malware, which involves privilege escalation.’
- [T1105 ] Ingress Tool Transfer – The XiebroC2 implant and other binaries (e.g., tee.exe) were transferred to the compromised host from a remote URL. Quote: ‘After installing JuicyPotato, XiebroC2 was downloaded…’
- [T1071.001 ] Web Protocols – XiebroC2 connects to its C2 using a network protocol (example: ‘Session/Reverse_Ws’) to receive commands. Quote: ‘Protocol = “Session/Reverse_Ws’ and ‘connect to the C&C server to execute commands from the threat actor.’
- [T1027 ] Obfuscated Files or Information – XiebroC2 configuration includes an AES key and encoded connection details to conceal C2 communications. Quote: ‘AesKey = “QWERt_CSDMAHUATW’ and ‘HostPort = “1.94.185[.]235:8433’.
Indicators of Compromise
- [MD5 ] malware file hashes – 4cfdd0ae14185e72a74e67717c23526c, 7d28a709a6ca6eef5af40f48cf7e3d12
- [URL ] malicious payload download – http[:]//183[.]196[.]14[.]213[:]2780/tee[.]exe
- [IP ] command and control server – 1[.]94[.]185[.]235 (HostPort shown as 1.94.185[.]235:8433)
Read more: https://asec.ahnlab.com/en/90369/