New Banking Trojan Dubbed As MnuBot Uses SQL Server For C&C


In the world of cyber crime, recently a new malware has been launched by cyber hackers named MnuBot. This malware is known as banking trojan that aim to steal sensitive bank related detail like login credentials and password. According to the malware analysts, MnuBot banking malware uses MS SQL Server as the communication medium and take command from the C&C server and then after execute it into the victim’s system.

MnuBot Known To Target Only Bank Site

MnuBot mainly targeted the bank site to steal bank data. Once System user has opened browsing session to their banking site account, it will be automatically get downloaded and enters into browser session. In order to achieve the stealing operation, it secretly opens the browser session and them after take screenshot, set keyloggers so that it can easily track users clicks and the keystrokes. According to the security analysts, it uses the full system screen overlay forms in order to assist cyber hackers for committing fraud.

MnuBot is mainly controlled by MSSQL Database

Being discovered by IBM Security’s Trusteer, Jonathan Lusky, it is written in the Delphi and mainly targeted the Brazilian System users but it doesn’t means that it cannot affect other countries users. According to the Jonathan Lusky, this banking malware is mainly controlled through remote MSSQL database. Most of the malware often operates by pinning the remote custom crafted web servers but only very rare malware actually directly connect to database. This malware’s source code includes locked credentials to connect to the remote MSSQL database. Almost all communication between C&C severs and malware occurs as the SQL traffic that includes queries for the new commands.

Experienced Crew Is Known For Designing MnuBot

MnuBot is mainly designed by the experienced crew and this design has several advantages. Actually it is made of two components. First component is known to infect victims. The primary role of the first component is to check whether a file dubbed as Desk.txt in AppData Roaming folder or not. If not, it creates this file and open the new desktop environment where it can easily operate the hidden user’s data. Second components knows where to operate MnuBot. According to the IBM, second stage component is full on RAT that talks to MSSQL database execute some malevolent actions including :

  • Execute the OS command that often stored in config file.
  • Gather latest version of config file.
  • Simulate the user clicks and keyboard input.
  • Perform the keylogging operation.
  • Automatically create the desktop as well as browser screenshots.
  • Create overlays on top of the real banking portals etc.