SQLRat is a remote access trojan (RAT) targeting Windows devices created by the advanced persistent threat group, FIN7. They has been active since at least 2015. This trojan is distributed via malicious attachments in phishing emails and can achieve a full compromise of an affected device.
The RAT is embedded within a Visual Basic script, requiring users to enable macros in order to start the infection process. Two task scheduler entries are created to maintain persistence on the infected machine.
When executed the RAT connects to a FIN7-owned Microsoft database to retrieve malicious scripts contained in various SQL tables. One of these scripts is an open source Meterpreter post-exploitation tool, which can maintain a connection between FIN7 and an infected device. This type of attack has not been seen before in Fin7 code.
Indicators of Compromise
SHA256 File Hashes