Security Experts:

Connect with us

Hi, what are you looking for?



New Winnti Backdoor Targets Microsoft SQL

A recently identified backdoor used by the China-linked Winnti hackers and which targets Microsoft SQL (MSSQL) is very stealthy, ESET’s security researchers say.

A recently identified backdoor used by the China-linked Winnti hackers and which targets Microsoft SQL (MSSQL) is very stealthy, ESET’s security researchers say.

Active since at least 2009, the group has been observed targeting industries such as aviation, gaming, pharmaceuticals, technology, telecommunication, and software development, for cyber-espionage purposes.

The newly detailed malware, ESET says, allows the attackers to maintain a very discreet foothold within a compromised environment, and features many similarities with PortReuse, a backdoor that ESET exposed last week.

Designed to target MSSQL Server 11 and 12 — the most commonly used versions, despite being deployed over five years ago — the backdoor is called skip-2.0 by its authors and can maintain a stealthy connection to any MSSQL account by using a magic password, in addition to hiding the connection from logs.

“Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain,” the security researchers explain.

skip-2.0 was linked to the Winnti Group through the use of the same VMProtected launcher that drops the PortReuse backdoor and the use of the hackers’ custom packer, as well as through various similarities with other samples from the adversary’s toolset.

The security researchers believe that the launcher persists by exploiting a DLL hijacking vulnerability where the malicious library is being loaded by the standard SessionEnv service at startup, the same as with PortReuse and ShadowPad, another piece of malware associated with the Winnti cyber-spies.

Inner-Loader, an injector already associated with the Winnti Group arsenal, is used to find sqlserv.exe, the process of MSSQL Server, and inject skip-2.0.dll into it.

Next, the backdoor checks whether it is executing within a sqlserv.exe process, then retrieves a handle to sqllang.dll, which is loaded by sqlserv.exe, after which it hooks functions from that DLL. The hooking procedure is very similar to that used in the case of PortReuse.

The skip-2.0 backdoor targets functions related to authentication and event logging, including CPwdPolicyManager::ValidatePwdForLogin, which is responsible for validating the password provided for a given user.

Should the user password match what ESET describes as a “magic password,” the original function is not called and the hook returns 0, thus allowing the connection without the correct password.

“A similar backdooring technique, based on hardcoded passwords, was used with SSH backdoors previously discovered by ESET. The difference here is that skip-2.0 is installed in-memory, while in the case of the SSH backdoors the sshd executable was modified prior to execution,” the security researchers explain.

The malware also uses a series of hooks that allow it not only to gain persistence through the use of a special password, but also to stay undetected through numerous log and event publishing mechanisms that are disabled when the password is used.

“The skip-2.0 backdoor is an interesting addition to the Winnti Group’s arsenal, sharing a great deal of similarities with the group’s already known toolset, and allowing the attacker to achieve persistence on an MSSQL Server. Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness,” ESET concludes.

Related: Researchers Find New Backdoor Used by Winnti Hackers

Related: Researchers Link Several State-Sponsored Chinese Spy Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.