China-linked Winnti Group has developed a new backdoor that allows it to backdoor Microsoft SQL (MSSQL) servers and maintain a discreet foothold inside compromised organizations. According to researchers from cybersecurity firm ESET who have spotted the new malware strain, backdoor dubbed skip-2.0 by its creators bears multiple similarities to other tools in the group’s arsenal, such as PortReuse and ShadowPad backdoors.
PortReuse is a modular Windows backdoor that was previously used by the Winnti cyberespionage group in attacks against a high-profile Asian mobile software and hardware manufacturer. The ShadowPad backdoor is a modular platform that can be used to download and execute arbitrary code on the infected system, create processes, and maintain a virtual file system in the registry.
The Winnti Group is a term used as the collective name for several Chinese state-backed hacking groups (tracked as Blackfly and Suckfly by Symantec, Wicked Panda by CrowdStrike, BARIUM by Microsoft, APT41 by FireEye) that are using the same malicious tools.
During the analysis of VMProtected launchers that were used in previous Winnti’s campaigns to launch the ShadowPad and PortReuse malware the researchers discovered the new Skip-2.0 backdoor that leverages the same VMProtected launcher and custom packer.
“This backdoor allows the attacker not only to gain persistence in the victim's MSSQL Server through the use of a special password, but also to remain undetected thanks to the multiple log and event publishing mechanisms that are disabled when that password is used,” ESET explained.
With the help of the Skip-2.0 malware the hackers could establish a backdoor in MSSQL Server 11 and 12 and gain access to any MSSQL account and copy, delete or modify database content for various purposes, for example, to manipulate in-game currencies for financial gain. Skip-2.0 is the first MSSQL Server backdoor that has been documented publicly, and while MSSQL Server 11 and 12 are not the most recent versions (released in 2012 and 2014, respectively), they are the most commonly used ones, the researchers noted.
Once dropped on an already compromised MSSQL server, the Skip-2.0 backdoor proceeds to inject its malicious code within the sqlserv.exe process via the sqllang.dll, hooking multiple functions used for logging an authentication. The hooking procedure used by Skip-2.0 is similar to the one used by NetAgent, the PortReuse module responsible for installing the networking hook. This technique allows the malware to circumvent the server's built-in authentication mechanism and provides its operators an opportunity to log in using the "magic password". If the "magic password" is entered inside any user authentication session, the user is automatically granted access, while normal logging and audit functions are prevented from executing.
"We tested skip-2.0 against multiple MSSQL Server versions and found that we were able to log in successfully using the special password only with MSSQL Server 11 and 12," the researchers said.
They also added that administrative privileges are required for installing the hooks meaning that Skip-2.0 could be delivered only on already compromised MSSQL Servers to achieve persistence.