Microsoft SQL servers were observed being attacked through brute-force or dictionary attacks that exploit weak account credentials. The servers were then used as entry points to deploy Trigona ransomware and encrypt all files
Once the attackers gain access to a server, they deploy malware dubbed CLR Shell to harvest system information, alter the account's configuration, and escalate privileges to LocalSystem
. CLR Shell is a type of CLR assembly malware that receives commands from the attackers and performs malicious actions.
To launch the ransomware, the attackers exploit CVE-2016-0099, a vulnerability in the Windows Secondary Logon Service, which is required to launch the ransomware as a service on the compromised server. In the next stage, they install a dropper malware as the svcservice.exe
service, and use it to launch the Trigona ransomware process which impersonatessvchost.exe
.