A recently identified backdoor used by the China-linked Winnti hackers and which targets Microsoft SQL (MSSQL) is very stealthy, ESET’s security researchers say.
Active since at least 2009, the group has been observed targeting industries such as aviation, gaming, pharmaceuticals, technology, telecommunication, and software development, for cyber-espionage purposes.
The newly detailed malware, ESET says, allows the attackers to maintain a very discreet foothold within a compromised environment, and features many similarities with PortReuse, a backdoor that ESET exposed last week.
Designed to target MSSQL Server 11 and 12 — the most commonly used versions, despite being deployed over five years ago — the backdoor is called skip-2.0 by its authors and can maintain a stealthy connection to any MSSQL account by using a magic password, in addition to hiding the connection from logs.
“Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain,” the security researchers explain.
skip-2.0 was linked to the Winnti Group through the use of the same VMProtected launcher that drops the PortReuse backdoor and the use of the hackers’ custom packer, as well as through various similarities with other samples from the adversary’s toolset.
The security researchers believe that the launcher persists by exploiting a DLL hijacking vulnerability where the malicious library is being loaded by the standard SessionEnv service at startup, the same as with PortReuse and ShadowPad, another piece of malware associated with the Winnti cyber-spies.
Inner-Loader, an injector already associated with the Winnti Group arsenal, is used to find sqlserv.exe, the process of MSSQL Server, and inject skip-2.0.dll into it.
Next, the backdoor checks whether it is executing within a sqlserv.exe process, then retrieves a handle to sqllang.dll, which is loaded by sqlserv.exe, after which it hooks functions from that DLL. The hooking procedure is very similar to that used in the case of PortReuse.
The skip-2.0 backdoor targets functions related to authentication and event logging, including CPwdPolicyManager::ValidatePwdForLogin, which is responsible for validating the password provided for a given user.
Should the user password match what ESET describes as a “magic password,” the original function is not called and the hook returns 0, thus allowing the connection without the correct password.
“A similar backdooring technique, based on hardcoded passwords, was used with SSH backdoors previously discovered by ESET. The difference here is that skip-2.0 is installed in-memory, while in the case of the SSH backdoors the sshd executable was modified prior to execution,” the security researchers explain.
The malware also uses a series of hooks that allow it not only to gain persistence through the use of a special password, but also to stay undetected through numerous log and event publishing mechanisms that are disabled when the password is used.
“The skip-2.0 backdoor is an interesting addition to the Winnti Group’s arsenal, sharing a great deal of similarities with the group’s already known toolset, and allowing the attacker to achieve persistence on an MSSQL Server. Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness,” ESET concludes.