S0390 SQLRat
SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has been observed using it.1
| Item | Value |
|---|---|
| ID | S0390 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 18 June 2019 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | SQLRat has used PowerShell to create a Meterpreter session.1 |
| enterprise | T1059.003 | Windows Command Shell | SQLRat has used SQL to execute JavaScript and VB scripts on the host system.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | SQLRat has scripts that are responsible for deobfuscating additional scripts.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | SQLRat has used been observed deleting scripts once used.1 |
| enterprise | T1105 | Ingress Tool Transfer | SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.010 | Command Obfuscation | SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | SQLRat has created scheduled tasks in %appdata%\Roaming\Microsoft\Templates\.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | SQLRat relies on users clicking on an embedded image to execute the scripts.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0046 | FIN7 | 1 |