Security firm Huntress has detailed a June intrusion that shows how much damage a single unvalidated web form can cause. Attackers broke into a technology company's server through a SQL injection flaw, then spent their time inside methodically taking the machine apart: they disabled its antivirus, created a hidden administrator account, planted malicious web-server modules, and quietly set a cryptocurrency miner running. Huntress said the sheer breadth of changes to one endpoint was what set the case apart.
The break-in, first flagged by the Huntress security operations center on June 26, started not with a stolen password but with sloppy input handling on a public web page. Because the site did not properly validate what users typed in, the attacker was able to smuggle database commands through it, a classic technique known as SQL injection, and reach the Microsoft SQL Server running behind it. From there the SQL service (sqlservr.exe) was used to run commands directly on the underlying Windows host, which also happened to be running Microsoft's IIS web server.
How the attack unfolded
With a foothold established, the intruder ran base64-encoded PowerShell to pull down further scripts and used the built-in tasklist /svc command to inventory running services, shipping the output to an attacker-controlled address at hxxp://334thribetlhkyo977gqrcht1k7bvdj2[.]oastify[.]com. To guarantee a way back in, the attacker turned on Remote Desktop, created a new local administrator called adminweb2$, and logged in through it. They then switched off Windows Defender, though notably they left other endpoint monitoring untouched.
The attacker next used the legitimate Windows tool appcmd.exe to install BadIIS modules (HttpFastCgiModule.dll and HttpCgiModule.dll). As Cisco Talos has documented, BadIIS is a family of rogue IIS modules used for large-scale search-engine-optimization fraud, hijacking traffic, injecting links, and acting as a covert proxy. Alongside it, the attacker dropped the XMRig cryptocurrency miner, hid its files (edge.exe and Taskgmr.ps1) inside a fake Microsoft Edge update folder using attrib.exe, and made the miner survive reboots with nssm.exe, a free utility for turning any program into a Windows service. A tool called CnCrypt Protect was added to further frustrate analysis.
The downloaded scripts carried a jokey naming theme (qdcjoke1.2.ps1, qd_tjoke.bat) and were staged from a cloud storage bucket at pub-c4c8e8c336c3429d97195076bf3bb6eb.r2[.]dev. The behavior echoes other recent cases where intruders disable Windows Defender and settle in after a web-app break-in, and the mining payoff mirrors campaigns that hijack exposed servers purely to mine cryptocurrency.
Indicators of compromise
- Exfiltration endpoint: hxxp://334thribetlhkyo977gqrcht1k7bvdj2[.]oastify[.]com
- Staging bucket identifier: c4c8e8c336c3429d97195076bf3bb6eb (pub-c4c8e8c336c3429d97195076bf3bb6eb.r2[.]dev)
- Rogue local administrator account: adminweb2$
- Hidden miner files: edge.exe and Taskgmr.ps1, inside the EdgeUpdate directory
What you should do
The root cause here was a web application that trusted user input, so the first fix is parameterized queries and strict input validation on any internet-facing form. Huntress, whose Stephanie Fairless contributed to the investigation, stressed that finding the original entry point matters as much as the cleanup: had the SQL injection hole been left open, the attacker could simply walk back in even after every dropped file was removed. Defenders should also watch for suddenly created local administrators, unexpected Remote Desktop activation, appcmd.exe installing unfamiliar IIS modules, and Windows Defender being switched off. You can read the original Huntress report for the full timeline.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.