ESET Specialists discovered A new malware created by Chinese intruders from the Winnti group and designed to modify Microsoft SQL Server databases (MSSQL) to create a backdoor. As an added benefit, a backdoor hides sessions in database connection logs every time hackers use a “magic password”, which helps attackers go unnoticed.
The tool is called skip-2.0 and is intended to modify the MSSQL functions that are responsible for authentication processing. Attackers deploy a backdoor after compromising their goals in other ways, since installing privileges requires administrative privileges. In fact, the tool is used to increase stealth and create a sustainable presence.
The basic idea behind skip-2.0 is to create the aforementioned “magic password”. If such a password is entered in any authentication session, the user is automatically granted access, while the usual logging and audit functions do not work, resulting in a ghostly session that has not been accounted for anywhere.
According to experts, skip-2.0 only works with MSSQL servers versions 12 and 11. And although MSSQL Server 12 was released back in 2014, according to Censys, this version is the most frequently used.
During the analysis of the skip-2.0 code, experts discovered evidence that connects it with other Winnti tools, in particular with the PortReuse and ShadowPad backdoors. Portreuse – A backdoor for IIS servers discovered by ESET in compromised networks of hardware and software suppliers in South Asia at the beginning of this year. Shadowpad – Windows backdoor trojan for the first time seen inside applications created by South Korean software maker NetSarang when Chinese hackers broke into its infrastructure in mid-2017.
“Such a backdoor can allow attackers to secretly copy, modify, or delete the contents of databases. This can be used, for example, to manipulate in-game currencies in order to obtain financial benefits, ”ESET experts write.
Similar manipulations with in-game currencies were already reported at the beginning of this year, and FireEye specialists later tied up these attacks are with APT41.