Uncovering a SQL Server Job That Hid a Persistent Malware Loader

Background Overview

DeepSecurity's security team recently detected a file‑less intrusion that bypassed antivirus solutions. Compromised hosts were infected with various botnet trojans such as Mykings, Mirai, and Dark Cloud, as well as cryptomining payloads. The attackers first cracked weak SQL Server passwords, then used Transact‑SQL to store and compile malicious C# code, which was executed via a scheduled MSSQL job.

Investigation Process

Initial host analysis revealed malicious WMI scripts that downloaded and executed files locally. Registry inspection uncovered a suspicious startup entry BGClients pointing to c:\windows\system32\wbem\123.bat. The batch file created hidden directories and invoked RegSvr32/Scrobj.dll to run a remote SCT script. Additional malicious executables with a .dvr extension were found, containing commands to fetch further payloads.

Despite deleting the identified artifacts, the infection resurfaced, prompting deeper log analysis. Monitoring logs showed two suspicious cmd executions by the database process around 4 PM, suggesting malicious SQL Agent jobs.

Database Job Analysis

Review of SQL Server Agent jobs uncovered numerous obscure scheduled tasks. One job executed a stored procedure that ultimately invoked an ExecCode object. Examination of sys.assembly_files revealed the embedded DLL content beginning with the PE header "4D5A", confirming the presence of the malicious payload.

Further inspection of the stored procedure showed it called ExecCode, which in turn downloaded a file named cabs.exe. This downloader retrieved additional malicious modules (Mykings, Mirai, Dark Cloud, mining tools) from remote URLs.

Malware File Analysis

The extracted DLL was a C#‑compiled library containing a MyDownloadFile method. This method fetched a configuration file from a hard‑coded URL, which listed two download links and their target paths. One link pointed to an obsolete ok.exe, while the other referenced ups.rar, identified as the cabs.exe downloader.

The cabs.exe binary functions as a multi‑stage downloader, pulling various malicious components onto the compromised host and executing them.

Remediation Steps

Delete all malicious SQL Server Agent jobs and associated stored procedures.

Remove identified malicious files, WMI scripts, and registry entries from the host (see detailed table in original report).

Enforce strong, complex passwords for SQL Server instances.

Deploy the vendor‑provided anti‑bot detection tool to scan and clean remaining artifacts.

After applying these measures, the infection was fully eradicated.