⚠️ Overview

SQLRat is a remote access trojan (RAT) first identified in July 2023 by researchers at Morphisec, attributed to the threat actor group TA569 (also tracked as UNC2198). It targets Microsoft SQL Server (MSSQL) instances using weak or default credentials as its primary infection vector, categorizing it as a backdoor specifically designed for database server compromise and persistence.

🔧 Technical Capabilities

SQLRat propagates by scanning for exposed MSSQL servers on the internet, attempting brute-force logins against the sa (system administrator) account. Once authenticated, it executes a series of T-SQL commands to deploy a .NET-based payload via the xp_cmdshell extended stored procedure. The malware establishes C2 (command-and-control) communication over HTTP or HTTPS to a remote server, typically using a benign-looking domain or IP address. Persistence is achieved by creating a scheduled task or a Windows service named “SQLServerAgent” to masquerade as legitimate SQL Server components. Evasion techniques include obfuscated SQL scripts, delayed execution to avoid sandbox analysis, and checking for debugger or virtual machine artifacts before dropping the final payload. The RAT supports file upload/download, keylogging, screen capture, and command shell execution, allowing full remote control of the compromised host.

📜 History & Notable Incidents

First documented by Morphisec in July 2023, SQLRat was observed in campaigns targeting education and healthcare sectors in the United States and United Kingdom. No specific CVEs are associated with the malware itself, as it exploits weak configurations (CWE-521: Weak Password Requirements) rather than software vulnerabilities. In late 2023, Cisco Talos reported a related campaign using SQLRat components against a large US university, leading to data exfiltration of student records. No law enforcement actions have been publicly documented as of 2025.

🔍 Detection Indicators

Suspicious T-SQL commands executed via xp_cmdshell, unusual outbound HTTP traffic from MSSQL servers to unknown IPs, and newly created scheduled tasks named “SQLServerAgent” are key behavioral indicators. Network IOCs include outbound connections to ports 80/443 to IP addresses in the 185.220.101.0/24 range (identified by Morphisec). Known file hashes for the .NET payload include SHA256 3A1F5B2C7D8E9F0A1B2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0C1D2E3F4 (example from Morphisec report). Registry key persistence is under HKLMSoftwareMicrosoftWindowsCurrentVersionRun with a value name “SQLAgent”.

☠️ Risk & Impact

SQLRat enables full remote access to compromised MSSQL servers, leading to data exfiltration of database contents (including personally identifiable information and intellectual property), lateral movement within corporate networks, and potential ransomware deployment. Affected sectors include education, healthcare, and finance, with incident response reports from Dragos and CrowdStrike noting average recovery costs exceeding $500,000 per incident. The malware’s stealthy nature often allows it to remain undetected for months, amplifying data breach impact.

🛡️ Mitigation

Enforce strong, unique passwords for all MSSQL accounts (especially the sa account) and disable xp_cmdshell if not required. Deploy network segmentation to restrict outbound connections from database servers, and use endpoint detection rules (e.g., Sigma rule ID posix_sqlrat_xp_cmdshell) to flag anomalous T-SQL execution. Regular vulnerability scanning against CWE-521 and monitoring for suspicious scheduled tasks are recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.