Winnti Group Uses New Malware to Exploit MSSQL Servers and Maintain Persistence
- The malware creates a backdoor mechanism that let hackers connect to any account using a "magic password".
- The backdoor, that only works with MSSQL V12 & V11, servers has links with the Winnti Group/ APT41 arsenal.
Chinese cyberspies have developed a malware titled "skip-2.0" that alters Microsoft SQL Server (MSSQL) databases and deploys a backdoor as a post-infection tool, after compromising networks through other methods.
How it works
According to ESET, the backdoor modifies MSSQL functions that handle authentication. The aim is to generate a so-called "magic password."
- When the "magic password" is entered inside any user authentication session, the user is automatically granted access.
- Then the malware prevents execution of normal logging and audit functions, effectively creating a ghost session inside the server.
- By hiding user sessions in the database's connection logs every time, the "magic password" helps hackers remain undetected even if administrators suspect any wrongdoing.
According to ESET, skip-2.0 only works with MSSQL v12 and v11 servers.
"Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain. In-game currency database manipulations by Winnti operators have already been reported," ESET researchers said, referring to a string of hacks aimed at gaming companies reported earlier this year.
Backdoor Group Connection
The backdoor has been linked to the "Winnti Group," a name ESET uses to describe a Chinese state-sponsored threat group, which FireEye calls APT41. The skip-2.0 code has clues that link it to other Winnti hacking tools, such as the PortReuse and ShadowPad backdoors, said ESET.
PortReuse: A network implant that injects itself into an existing process (for the purpose of reusing that port) and waits for specific incoming packet to trigger the malicious code.
ShadowPad: A Windows backdoor trojan capable of downloading and executing additional malware as well as stealing data. It was first seen injected inside apps manufactured by NetSarang, a South Korean software maker, after Chinese hackers breached its infrastructure back in mid-2017.
"Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness," ESET researchers said. However, the ESET team notes that once this hurdle is passed, skip-2.0 can be one of the most powerful tools in Winnti's arsenal.