MnuBot is a banking trojan discovered by IBM X-Force researchers targeting victims in Brazil. To avoid antivirus detection, the trojan uses a remote Microsoft SQL database as their C2 server, making connections to it seem like legitimate and innocuous Microsoft SQL traffic. Since the configuration file is downloaded from the MSQL server at regular intervals, threat actors have full control over the operations and can update with new target information instantaneously. Attackers are also able to remotely shut down the MSSQL database if they feel as though law enforcement or researchers are investigating, making it look like the malware doesn’t reach out to any source. MnuBot starts by checking to see if the victim has already been infected by searching for a Desk.txt file in the AppData Roaming folder. This file lets the second stage of the malware know where to operate. If not present, the malware will create the Desk.txt file and open a new hidden desktop environment that will operate without the victim’s knowledge. Once the first stage is complete, the malware begins to talk to the MSSQL database, receiving instructions that allows it to retrieve the latest configuration file, execute OS commands, perform keylogging, simulate user clicks and keyboard input, uninstall apps, restart the PC, and create overlays on top of real banking portals.

Technical Details:

  • IBM X-Force provides technical analysis of MnuBot, here.

Image Source: Bleeping Computer