Winnti Group Uses New Malware to Exploit MSSQL Servers and Maintain Persistence

• The malware creates a backdoor mechanism that let hackers connect to any account using a "magic password".
• The backdoor, that only works with MSSQL V12 & V11, servers has links with the Winnti Group/ APT41 arsenal.

Chinese cyberspies have developed a malware titled "skip-2.0" that alters Microsoft SQL Server (MSSQL) databases and deploys a backdoor as a post-infection tool, after compromising networks through other methods.

How it works

According to ESET, the backdoor modifies MSSQL functions that handle authentication. The aim is to generate a so-called "magic password."

• When the "magic password" is entered inside any user authentication session, the user is automatically granted access.
• Then the malware prevents execution of normal logging and audit functions, effectively creating a ghost session inside the server.
• By hiding user sessions in the database's connection logs every time, the "magic password" helps hackers remain undetected even if administrators suspect any wrongdoing.

According to ESET, skip-2.0 only works with MSSQL v12 and v11 servers.

"Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain. In-game currency database manipulations by Winnti operators have already been reported," ESET researchers said, referring to a string of hacks aimed at gaming companies reported earlier this year.

Backdoor Group Connection

The backdoor has been linked to the "Winnti Group," a name ESET uses to describe a Chinese state-sponsored threat group, which FireEye calls APT41. The skip-2.0 code has clues that link it to other Winnti hacking tools, such as the PortReuse and ShadowPad backdoors, said ESET.

PortReuse: A network implant that injects itself into an existing process (for the purpose of reusing that port) and waits for specific incoming packet to trigger the malicious code.

ShadowPad: A Windows backdoor trojan capable of downloading and executing additional malware as well as stealing data. It was first seen injected inside apps manufactured by NetSarang, a South Korean software maker, after Chinese hackers breached its infrastructure back in mid-2017.

"Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness," ESET researchers said. However, the ESET team notes that once this hurdle is passed, skip-2.0 can be one of the most powerful tools in Winnti's arsenal.