Aliases
Sql Shell, CLR SQL shell
Tags
Reverse shellMalware
Incidents
Mimic used by Trigona operators
References
https://asec.ahnlab.com/en/52479/https://www.trendmicro.com/en_us/research/23/f/an-overview-of-the-trigona-ransomware.htmlhttps://malware.news/t/trigona-ransomware-attacking-ms-sql-servers/68771
Last edited
Feb 19, 2025 2:24 PM
CLR SqlShell is a malware strain that targets poorly managed Microsoft SQL (MS SQL) servers by exploiting the Common Language Runtime (CLR) stored procedures feature. Once installed, it enables attackers to execute arbitrary commands, perform privilege escalation, and deploy additional malicious payloads such as cryptocurrency miners and ransomware. Notably, the Trigona ransomware has been observed utilizing CLR SqlShell to compromise MS SQL servers. Attackers often gain initial access through brute-force or dictionary attacks on servers with weak credentials, subsequently leveraging CLR SqlShell to maintain persistence and control over the compromised systems.