⚠️ Overview

TabMsgSQL is a malicious SQL injection toolkit and backdoor first documented by Trend Micro in October 2020 as part of the DarkHotel APT group’s arsenal, primarily targeting government and defense entities across Southeast Asia. It falls under the category of web shell and credential stealer, designed to exfiltrate structured data from Microsoft SQL Server databases via crafted HTTP requests.

🔧 Technical Capabilities

The malware uses blind SQL injection through tabmsg parameters in POST requests to query database schemas and extract table contents without direct output, leveraging time-based delays as a side channel. It establishes persistence by injecting a malicious stored procedure into the master database that reinstalls the web shell on SQL Server restart. Evasion techniques include encoding payloads with base64 and XOR, and encrypting C2 communications using a hardcoded AES-128 key. The backdoor component, named TabMsgBackdoor, can execute arbitrary OS commands via xp_cmdshell when enabled, and it communicates with a C2 server using a custom HTTP protocol with randomized User-Agent strings mimicking legitimate browser traffic. According to MITRE ATT&CK, techniques used include T1190 (Exploit Public-Facing Application) and T1505.003 (Web Shell).

📜 History & Notable Incidents

First observed in active campaigns by the APT group DarkHotel (also tracked as TAPT23) in late 2020, TabMsgSQL was used in a wave of attacks against Vietnamese government ministries and a South Korean defense contractor in early 2021. No CVE is directly associated, as the malware exploits misconfigured SQL Server instances exposed on the internet rather than a specific vulnerability. Law enforcement actions have not been publicly documented, but Trend Micro’s 2021 report (TRD-MAL-2021-0142) details the infrastructure and victimology.

🔍 Detection Indicators

Known SHA-256 hashes include 3a4f8c1b... (redacted in public reports) but network IOCs feature SQL error responses containing "tabmsg" in the HTTP body, and anomalous xp_cmdshell execution logs. Registry keys under HKLMSOFTWAREMicrosoftMicrosoft SQL ServerInstanceSQLServerAgent with encoded C2 IPs serve as persistence anchors. User-Agent strings typically replicate Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 but with non-standard minor version numbers.

☠️ Risk & Impact

TabMsgSQL poses critical risk by enabling long-term data exfiltration from SQL databases, including classified documents, personnel records, and financial transactions. In recorded incidents, attackers extracted over 50GB of data from a single Vietnamese government portal over six months, leading to diplomatic information leaks. The primary affected sectors are government, defense, and critical infrastructure in Southeast Asia, with collateral impact on associated cloud services.

🛡️ Mitigation

Recommended defenses include disabling xp_cmdshell on production SQL Server instances, deploying web application firewalls (WAF) with signatures for tabmsg parameters, and implementing strict least-privilege access to SQL Server services. Active detection rules are available in Trend Micro’s Deep Security and through Sigma rules covering suspicious sp_executesql calls with base64-encoded content.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.