Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Symantec Discovers New Database Sabotage Malware

Malware Modifies, Deletes Business SQL Databases

Symantec researchers said they have discovered new malware that targets corporate databases, but doesn’t actually have data-stealing capabilities. Instead, Symantec said, the malware modifies and deletes records in corporate SQL databases.

Malware Modifies, Deletes Business SQL Databases

Symantec researchers said they have discovered new malware that targets corporate databases, but doesn’t actually have data-stealing capabilities. Instead, Symantec said, the malware modifies and deletes records in corporate SQL databases.

Malware Targeting SQL DatabaseDetected by Symantec as W32.Narilam, infections appear to be predominately in systems in the Middle East, Symantec said. However, other infections have been detected in other countries including a small number in the United States and in the UK. Of the infections detected so far, the vast majority of users impacted by this threat are corporate users, Symantec said.

The malware copies itself to a system, adds registry keys, and spreads through removable drives and network shares, Symantec said.

Developed in Delphi, the malware incorporates functionality to update and modify a Microsoft SQL database if it is accessible by Object Linking and Embedding Database (OLEDB).

The malware was authored to specifically target SQL databases with three distinct names: alim, maliran, and shahd. Furthermore, the malware targets object and table names that can be accessed, and replaces certain items in the database with random values, including Asnad.SanadNo, which “sanad” means “document” in Persian, and Pasandaz.Code, of which “pasandaz” means “savings” in Persian.

Based on these values and some others, it’s apparent that the malware is targeting databases that have financial and other business-related functions.

In addition to modifying records, the malware deletes tables, including specific names such as “A_Sellers”, “person”, and “Kalamast”.

Because this particular threat targets specific databases and table names, organizations that become infected really aren’t at risk unless they have OLEDB accessible databases using those specific names. That being said, malware authors can easily customize and modify the malware to launch attacks against other targets, and in this case, the malware could be easily modified to target databases with different names.

“Unless appropriate backups are in place, the affected database will be difficult to restore,” Symantec warned in a Thanksgiving day blog post. “The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.