The ShadowServer foundation has recently released a report showing that there are about 3.6 million MySQL servers exposed to outside. Along with MS-SQL server, MySQL server is one of the main database servers that provides the feature of managing large amounts of data in a corporate or user environment.
AsyncRAT
Initially , conduct scanning to search for a target to attack. Among externally exposed systems, the scanner searches for system that has 3306/TCP port revealed, used by MySQL server. After then, upon using brute-force attacks and dictionary attacks against the system, attackers can obtain root user account credentials if the system was being managed in improper ways.
The most well-known command is xp_cmdshell, and there are other various methods such as OLE Store Procedure, MS-SQL Agent Jobs, Extended Stored Procedure, and CLR Stored Procedure. Being able to execute a user’s command using OS commands (e.g. cmd) or powershell means that the control over the system can be obtained.
As AsyncRAT is open-source, it is being distributed in various ways. Recently, it disguised itself as a crack program of commercial software and was distributed via malicious websites. In the past, it was distributed via spam email.
In addition, there were cases of distribution of illegal pornography through Discord, which was introduced in the previous ASEC blog.
Recommendations
- Strong password recommended for admin accounts.
- Update latest patch
- Strong firewalls should be set for database servers.
File Detection
– Trojan/Win32.RL_Generic.C4239825 (2020.11.26.01)
– Trojan/Win32.Inject.C500093 (2014.08.08.04)
[IOC]
MD5
AsyncRAT
– 46d552cd04ff2b41be06ba1478a97ced
Follow us for more, Facebook, Twitter, LinkedIn and Instagram
Leave A Comment