Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Winnti Backdoor Targets Microsoft SQL

A recently identified backdoor used by the China-linked Winnti hackers and which targets Microsoft SQL (MSSQL) is very stealthy, ESET’s security researchers say.

A recently identified backdoor used by the China-linked Winnti hackers and which targets Microsoft SQL (MSSQL) is very stealthy, ESET’s security researchers say.

Active since at least 2009, the group has been observed targeting industries such as aviation, gaming, pharmaceuticals, technology, telecommunication, and software development, for cyber-espionage purposes.

The newly detailed malware, ESET says, allows the attackers to maintain a very discreet foothold within a compromised environment, and features many similarities with PortReuse, a backdoor that ESET exposed last week.

Designed to target MSSQL Server 11 and 12 — the most commonly used versions, despite being deployed over five years ago — the backdoor is called skip-2.0 by its authors and can maintain a stealthy connection to any MSSQL account by using a magic password, in addition to hiding the connection from logs.

“Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain,” the security researchers explain.

skip-2.0 was linked to the Winnti Group through the use of the same VMProtected launcher that drops the PortReuse backdoor and the use of the hackers’ custom packer, as well as through various similarities with other samples from the adversary’s toolset.

The security researchers believe that the launcher persists by exploiting a DLL hijacking vulnerability where the malicious library is being loaded by the standard SessionEnv service at startup, the same as with PortReuse and ShadowPad, another piece of malware associated with the Winnti cyber-spies.

Inner-Loader, an injector already associated with the Winnti Group arsenal, is used to find sqlserv.exe, the process of MSSQL Server, and inject skip-2.0.dll into it.

Advertisement. Scroll to continue reading.

Next, the backdoor checks whether it is executing within a sqlserv.exe process, then retrieves a handle to sqllang.dll, which is loaded by sqlserv.exe, after which it hooks functions from that DLL. The hooking procedure is very similar to that used in the case of PortReuse.

The skip-2.0 backdoor targets functions related to authentication and event logging, including CPwdPolicyManager::ValidatePwdForLogin, which is responsible for validating the password provided for a given user.

Should the user password match what ESET describes as a “magic password,” the original function is not called and the hook returns 0, thus allowing the connection without the correct password.

“A similar backdooring technique, based on hardcoded passwords, was used with SSH backdoors previously discovered by ESET. The difference here is that skip-2.0 is installed in-memory, while in the case of the SSH backdoors the sshd executable was modified prior to execution,” the security researchers explain.

The malware also uses a series of hooks that allow it not only to gain persistence through the use of a special password, but also to stay undetected through numerous log and event publishing mechanisms that are disabled when the password is used.

“The skip-2.0 backdoor is an interesting addition to the Winnti Group’s arsenal, sharing a great deal of similarities with the group’s already known toolset, and allowing the attacker to achieve persistence on an MSSQL Server. Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness,” ESET concludes.

Related: Researchers Find New Backdoor Used by Winnti Hackers

Related: Researchers Link Several State-Sponsored Chinese Spy Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.