Winnti hacker group uses a new malware dubbed skip-2.0 to attack Microsoft SQL Servers and to gain persistence access. Winnti group believed to be operating from China and the group active at least from 2012 and responsible for high-profile supply-chain against Gaming studios and Software companies.
ESET Security researchers discovered a new malware strain skip.2-0 along with Winnti Group’s known arsenal. The backdoor found to be targeting MSSQL Server 11 and 12.
Microsoft SQL Servers Under Attack
The backdoor let attackers connect with MSSQL servers through magic passwords and automatically hides them from the log. This allows attackers to perform any action on the database content such as stealthily copy, modify or delete database content.
Researchers found similarities between skip.2-0 along with the PortReuse backdoor and ShadowPad versions. As like PortReuse backdoor skip.2-0 also launched through VMProtected launcher that drops the backdoor.
The Winnti Group’s payload is RC5-encrypted and embedded with VMProtected launcher’s overlay, the packer contains Inner-Loader.dll which is used by Winnti Group to inject the backdoor.
The Inner-Loader looks for a process called sqlserv.exe and injects the payload to the process, “after having been injected and launched by Inner-Loader, skip-2.0 first checks whether it is executing within a sqlserv.exe process, then proceeds to find and hook multiple functions from that DLL.”
The malware hooks the sqllang.dll file and alters multiple functions, skip-2.0 primarily targets functions related to authentication and event logging.
“We observed multiple similarities between skip-2.0 and other tools from the Winnti Group’s arsenal. Its VMProtected launcher, custom packer, Inner-Loader injector, and hooking framework are part of the already known toolset of the Winnti Group,” said ESET.
Indicators of Compromise (IoCs)