Proofpoint research team found that the new malware downloader WhiteShadow uses the attacker-controlled Microsoft SQL Server to distribute malware.
Experts say that WhiteShadow uses the SQLOLEDB connector to connect to a remote Microsoft SQL Server instance, execute the query, and save the results to a file as a compressed executable. The SQLOLEDB Connector is an installable database connector from Microsoft, but by default, it is included in many installations of Microsoft Office.
“The SQLOLEDB connector is an installable database connector from Microsoft but is included by default in many (if not all) installations of Microsoft Office,” the researchers say. “Once the connector is installed on the system, it can be used by various parts of the Windows subsystem and by Visual Basic scripts including macros in Microsoft Office documents.”
WhiteShadow appears as a set of Office macros, mainly distributed via spam containing malicious URLs or malicious attachments. Since the downloader was first discovered in August, the research team has discovered 11 malicious activity using the downloader. Most malicious activities distribute Crimson malware. Other payloads include Agent Tesla, AZORult, Nanocore, njRat, Orion Logger, Remcos, and Formbook RATs.