Security researchers have spotted a new banking trojan named MnuBot that uses some atypical tricks to avoid easy detection on compromised hosts.
Discovered by the IBM security team, this trojan is written in Delphi, and its author is currently spreading it to Brazilian targets only.
But while most Delphi-based malware is generally considered as unsophisticated, MnuBot got the IBM team's interest due to an odd trick it used to disguise its traffic.
According to Jonathan Lusky, a malware researcher for IBM Security's Trusteer's group, this new banking trojan is controlled by crooks via a remote Microsoft SQL (MSSQL) database.
This is somewhat untypical, as most malware operates by pinging remote custom-crafted web servers or web apps, and only in very rare cases does malware actually connects to a database directly.
In a report published earlier today, Lusky says the malware's source code contains encrypted credentials to connect to a remote MSSQL database.
On a victim's computer, the malware dynamically decrypts these values just before initializing the connection to the remote server.
All communications between the malware and its C&C server occurs as SQL traffic. This includes queries for new commands, and the commands themselves.
"It is most likely that MnuBot authors wanted to try to evade regular antivirus detection, which is based on the malware traffic," Lusky explains. "To do so, they decided to wrap their malicious network communication using seemingly innocent Microsoft SQL traffic."
But this design has other advantages. For example, because the malware retrieves its configuration file at regular intervals from the MSSQL server and does not come hardwired with this data, this grants the MnuBot author full control over operations at any time, allowing them to push updates with new banks to target almost instantaneously.
Additionally, if the MnuBot crew feels that security researchers, bank employees, or law enforcement are on their tracks, once they take down their MSSQL database, the malware becomes fully unresponsive, and researchers can't reverse engineer it to study its attack routine.
These design choices reveal that the group behind MnuBot isn't at their first rodeo when it comes to malware development. Further, the MnuBot banking trojan is also quite advanced, despite being developed in Delphi.
At its core, MnuBot is actually made of two components. The first component is the one that first infects victims. Its primary role is to check if there's a file named Desk.txt in the AppData Roaming folder.
The presence of such a file indicates the victim has been already infected. If not, this first MnuBot component creates this file and opens a new desktop environment where it will operate hidden from the user's view. Data about this hidden desktop is stored inside the Desk.txt file, so the second stage malware knows where to operate.
The second stage component is more akin to a full-on remote access trojan (RAT), according to IBM. This component is the one that talks to the MSSQL database, and based on the received instructions it can:
All in all, while the Brazilian banking scene is considered to be always a few steps behind when it comes to the sophistication of their trojans, MnuBot is more than a capable threat when compared to what's already on the local market, and targeting local banks.