New WhiteShadow Downloader uses Microsoft SQL to Retrieve Malware


Microsoft Office macros jointly acting as a phase downloader use Microsoft SQL queries to collect malicious payloads, reports Proofpoint safety scientists.

WhiteShadow was originally identified when the downloader was providing a Crimson Remote Access Trojan (RAT) version in August 2019. In the meantime, the detection evasion and fundamental obscuring characteristics have developed.


Microsoft Word and Excel files are connected to malicious messages, and SQL queries are carried out when the macro is enabled against the Microsoft SQL Server attacker-controlled databases, where malware is stored as lengthy strings ASCII coded, according to scientists.

The macro gets the string and writes it onto the computer as a Windows executable PKZip archive which is then executed to install the malicious payload.

Proofpoint reports that there is no proof to link the present malware delivery with the original WhiteShadow campaigns which dropped the Crimson RAT, a piece of malware that has historically been linked to certain threats.

The WhiteShadow downloader, safety scientists say, seems to be a part of the malware delivery service that involves a leased Microsoft SQL Server example to host payloads.

WhiteShadow utilizes a SQLOLEDB connector to link to a remote Microsoft SQL Server example, run a request and save the result to an executable in a zipped format.

The SQLOLEDB connector is Microsoft-installable database connector but is included by default in many (if not all) Microsoft Office facilities. After the connector is mounted on the system, multiple components of the Windows subsystem, including macros, and the Visual Basic scripts in Microsoft Office files can be used. We noticed several malware strains downloaded by WhiteShadow in this way:

  • Agent Tesla
  • AZORult
  • Crimson
  • Nanocore
  • njRat
  • Orion Logger
  • Remcos
  • Formbook

The malware infection occurs in the following sequence:

  • A user enables macros in a document or spreadsheet
  • The macro reaches out to a Microsoft SQL server and pulls an ASCII string from the ‘Byte_data’ column in the database table specified by a hardcoded ‘Id_No’ in the macro
  • The Macro ‘decodes’ the ASCII string and writes the data to a file in binary mode
    • Pseudo Format: <byte><separator><byte><separator><byte>….
  • The file type of the decoded files have always been a ZIP to date, with a single executable inside
  • The macro will then extract the executable from the ZIP and run it.

Illustration of WhiteShadow downloader and malware infection sequence.

Illustration of WhiteShadow downloader and malware infection sequence.

The use of MSSQL queries in order to recover payloads in the next stage is not a new method but an uncommon method, however, the safety scientists point out.

However, the most significant element of the discovery when it comes to WhiteShadow is the fact that that it seems to be a fresh malware delivery service that can be exploited by a multitude of threats.

“Organizations need to be aware of the incoming and outgoing malicious email traffic in TCP port 1433 that should now be blocked or at least limited in contemporary ACL firewall settings. These campaigns are currently comparatively tiny, with hundreds and thousands of message volumes, but we continue to monitor related trends, “Proofpoint concludes.



Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.