Analysis of MS-SQL Server Proxyjacking Cases – ASEC BLOG

AhnLab Security Emergency response Center (ASEC) has recently discovered cases of proxyjacking targeting poorly managed MS-SQL servers. Publicly accessible MS-SQL servers with simple passwords are one of the main attack vectors used when targeting Windows systems. Typically, threat actors target poorly managed MS-SQL servers and attempt to gain access through brute force or dictionary attacks. If successful, they install malware on the infected system.

The threat actors have been installing LoveMiner on MS-SQL servers for quite some time, and their distinctive trait is the fact that they perform proxyjacking and cryptojacking together. In contrast to previous attacks where the threat actor utilized Peer2Profit’s proxyware, they have now shifted to employing proxyware from IPRoyal Pawns, Traffmonetizer, Proxyrack, and PacketStream companies for their current attacks. Besides the use of these various proxyware, another distinguishing feature is that the malware is compiled using the .NET Native ahead-of-time (AOT) compilation method. This post will briefly cover the threat actor’s past attack cases and analyze the malware being used in their recent attacks.

1. Proxyjacking

Previously, ASEC covered the recent trend of proxyjacking attacks through the post titled “Attackers Profiting from Proxyware” [1]. Proxyjacking involves the unauthorized installation of proxyware on infected systems, which allows threat actors to share a portion of the system’s Internet bandwidth with external sources for financial gain.

Proxyware refers to programs installed on systems that share a portion of the available Internet bandwidth with external sources. Typically, users who install proxyware receive a certain amount of money for providing their bandwidth. If a threat actor secretly installs proxyware on a system without user consent, the infected system involuntarily contributes its network bandwidth, and the generated profit goes to the threat actor. This concept is similar to cryptojacking, where instead of proxyware, CoinMiners are installed to use the resources of the infected system for cryptocurrency mining.

In a past report from Cisco’s Talos, instances of proxyjacking involving malware disguised as normal installation files were reported [2]. Subsequently, the ASEC blog covered the attack cases where adware and poorly managed MS-SQL servers were targeted. Proxyjacking is not limited to Windows systems as Linux systems can also be targeted. There have been reported cases of malware being installed through Log4Shell vulnerability attacks [3] and SSH server attacks [4].

2. Past Attack Cases

Since early June 2022, the threat actor behind LoveMiner has been targeting poorly managed MS-SQL servers to install proxyware from the Peer2Profit company under the name “sdk.mdf”. “sdk.mdf” is a file provided by the proxyware, so a CLR assembly that abuses this was used concurrently to steal bandwidth. [5]

Figure 1. Installation log of proxyware and CLR assembly

The CLR assembly “Tmp417C.tmp” loads the proxyware “sdk.mdf” and calls the p2p_start() export function so that it can operate without users knowing. When calling p2p_start(), the email address to receive the profits must be transferred as an argument, so the threat actor’s email address can be confirmed in the malware.

Figure 2. Proxyware executed via SqlShell

Additionally, the name of the CLR assembly, “SqlServerWorks.CLR.P2P.dll”, is similar to the CLR assembly of LoveMiner. This indicates that the threat actor behind LoveMiner also uses proxyware in their attacks. The logs retrieved from AhnLab Smart Defense (ASD) validate this observation, revealing a consistent pattern of nearly simultaneous installations of LoveMiner and proxyware.

LoveMiner can be divided into a downloader form of CLR Assembly and a loader form of CLR Assembly. In the case of the loader form, it is responsible for loading XMRig, which is stored in the internal resource ‘gmp’, on the memory side. As a customized XMRig, “gmp” configures the information required for mining like the mining pool address during the initial routine. Additionally, the string “gmp” used in the resource name is still being used in recent attacks.

Figure 3. Loader form of LoveMiner CLR assembly

3. Latest Attack Cases

ASEC has recently confirmed that the threat actor behind LoveMiner is creating malware with the name “winupdate0.mdf” instead of “sdk.mdf”. “SqlserverCLRV2.NativeLib.dll” is the version information of the DLL format malware. This is similar to the LoveMiner CLR assembly’s file name, and the presence of the string “GmpStart” in the exported functions further suggests that it is likely crafted by the same threat actor.

Figure 4. Version information of the dropper

“winupdate0.mdf” is a dropper that installs various proxyware on infected systems. Unlike the CLR assembly of LoveMiner that was developed in .NET, “winupdate0.mdf” is distinctive in that it is developed using the .NET Native AOT compilation method. .NET Native AOT is a mechanism introduced from .NET 7 onwards, and it is a compilation method that directly compiles .NET code into native code instead of CIL. While developers can benefit from improved performance, analyzing malware with this compilation method typically requires more resources compared to regular .NET executables. [6]

Figure 5. Dropper compiled with the .NET Native AOT method

The GmpStart() function is responsible for the actual dropper features. It installs the launcher malware “warpstrat.dll”, as well as proxyware tools such as Traffmonetizer, IPRoyal, Proxyrack, and PacketStream. As shown below, the GmpStart() function is simple and sequentially handles the installation of each respective function. All files are installed in the %APPDATA% directory.

Figure 6. Main routine of the GmpStart() function

Instead of directly executing the installed proxyware, the dropper uses “warpstrat.dll” to execute them indirectly. Contrary to its name, “warpstrat.dll” is an EXE executable, and it functions as a simple .NET launcher tool that executes the commands provided as arguments.

Figure 7. warpstrat launcher tool

4. Proxyware Used in Attacks

Type Path Name File Feature
Launcher %APPDATA% warpstrat.dll Launcher tool
Traffmonetizer %APPDATA%sraffzer sraffzer.exe etc. Traffmonetizer proxyware
%APPDATA%traffmonetizer settings.json etc. Traffmonetizer configuration file
IPRoyal %APPDATA% SQLSERVERHUP.dll IPRoyal proxyware
%APPDATA%ip_royal_paws Other files IPRoyal configuration file
Proxyrack %APPDATA% sqlgo.exe Proxyrack proxyware
%APPDATA% prokey.obj Proxyrack configuration file
PacketStream %APPDATA% psexitnode.exe PacketStream proxyware
Table 1. List of installed proxyware

4.1. Traffmonetizer

The first to be installed is Traffmonetizer. [7] The threat actor first creates the “settings.json” file in the “%APPDATA%traffmonetizer” directory. This contains the threat actor’s token information.

{“Token”:”numNo223zAbqep0Eveul2JZbvh3hYRkAL1HQfg4L5tw=”,”StartWithWindows”:false,”Accepting”:true}

Afterward, it creates the “s.zip” file contained in the binary and unzips the file into the directory”%APPDATA%sraffzer”. This compressed file contains Traffmonetizer programs, which are later executed using warpstrat.

Figure 8. Traffmonetizer files contained within the compressed file

Double-clicking the Traffmonetizer tray icon allows you to view earnings for the past 3 months. The threat actor using this token seems to have already gained a significant profit by infecting multiple systems.

Figure 9. Profit earned by the threat actor using Traffmonetizer

4.2. IPRoyal Pawns

IPRoyal Pawns is one of the proxyware identified in most attack cases including those of the past. [8] One notable fact about IPRoyal Pawns is that account credentials are required when executing the proxyware. Thus, the threat actor’s email address and password can be identified in the installation process.

Figure 10. Threat actor’s account credentials used to install IPRoyal Pawns proxyware
  • Version: pawnsapp_gui 1.4.6
  • Threat actor’s email address: gmpgmp@duck[.]com

4.3. Proxyrack

Proxyrack utilizes a randomly generated string called “device_id” which is used as an argument to execute the proxyware. Afterward, this “device_id” can be registered to their account on the website to generate revenue. [9] In addition, Proxyrack also supports API, through which the “device_id” can be POST requested and registered using the account’s API.

Figure 11. Device ID registration method

The dropper creates the proxyware of Proxyrack in the “%APPDATA%sqlgo.exe” path and executes it. Prior to this, it checks for the presence of the “prokey.obj” file. If the file is not present, it generates a random string and stores it in the “prokey.obj” file, which is then used as the “device_id” argument when executing the proxyware. A section to register the “device_id” that was generated randomly using an API has not been found in the dropper. This suggests that the threat actor either pre-generated the “prokey.obj” file along with the dropper or collected the “device_id” through a different method.

–homeIp point-of-presence.sock[.]sh –homePort 443
–id [Device ID]
–version 56 –clientKey proxyrack-pop-client –clientType PoP
–ppid [PPID] –osType [OS type] –osRelease [OS version] –osArch ia32

4.4. PacketStream

PacketStream is relatively simpler in comparison to other proxyware. [10] It installs the proxyware in the “%APPDATA%psexitnode.exe” path, and it is executed after sending the following argument.

> psexitnode.exe “1332868?client_version=20.202.1548”

5. Conclusion

The proxyware dropper malware that is recently being discovered is similar to CoinMiner in that it gains profit by exploiting the infected system’s resources. The malware strains are distributed through adware or installed on vulnerable MS-SQL servers.

MS-SQL server administrators are advised to employ complex, hard-to-guess passwords for their accounts and regularly update them. This proactive measure safeguards the database server against both brute force and dictionary attacks. Additionally, keeping the server up to date with the latest patches is crucial to mitigate potential vulnerabilities. Furthermore, administrators should implement security measures, such as firewalls, for database servers accessible from external sources. This precautionary step helps control and limit access by external threat actors. If the above measures are not taken in advance, continuous infections by threat actors and malware can occur. Also, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– Dropper/Win.Proxyware.C5471194 (2023.08.15.03)
– HackTool/Win.Launcher.C5471202 (2023.08.16.00)
– PUP/Win.TraffMonetizer.C5471479 (2023.08.16.02)
– Unwanted/Win.PacketStream.C5471480 (2023.08.16.02)
– Unwanted/Win.IPRoyal.C5471481 (2023.08.16.02)
– PUP/Win.Proxyrack.C5471483 (2023.08.16.02)
– Data/BIN.Config (2023.08.16.02)

IOC
MD5
– e8997e7d0cfee9875eb64b3aae8cc76a: Proxyware Dropper (winupdate0.mdf)
– ec336ebe46d1ed6b0381801d06fb30b4: Proxyware Dropper (winupdate0.mdf)
– 407eee5f4342af292a66b8d49794f64f: Launcher (warpstrat.dll)
– 0bd9711e8566b28142dde063c0fc2e55: Traffmonetizer Proxyware (sraffzer.exe)
– 5a8eee8fe217634cb47f2967a3d6bb37: Traffmonetizer Config (settings.json)
– a88e1eaf5576d27572ccc5655afb9d1a: IPRoyal Proxyware (SQLSERVERHUP.dll)
– dd7c9fe604867e2705dc581fedc1f554: Proxyrack Proxyware (sqlgo.exe)
– 2d9c5507f204fc5a223bff457b4cb0e7: PacketStream Proxyware (psexitnode.exe)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/56350/