Security experts at ESET have discovered a new malware, dubbed skip-2.0, used by the Chinese Winnti
The Winnti group was first spotted by Kaspersky in 2013, according to the researchers the gang has been active since 2007.
The skip-2.0 malware was used by threat actors to establish a backdoor in MSSQL Server 11 and 12 servers, allowing them to access to any account on the server using a “magic password.” The malicious code is able to remain under the radar thanks to the ability to interact with logging mechanisms.
“Earlier this year, we received a sample of this new backdoor called skip-2.0 by its authors and part of the Winnti Group’s arsenal.” reads the analysis published by ESET researcher Mathieu Tartare. “This backdoor targets MSSQL Server 11 and 12, allowing the attacker to connect stealthily to any MSSQL account by using a magic password – while automatically hiding these connections from the logs. Such a backdoor could allow an attacker to stealthily copy, modify or delete database content.”
The PortReuse backdoor has a modular architecture, experts discovered that its components are separate processes that communicate through named pipes. Experts detected multiple PortReuse variants with a different NetAgent but using the same SK3. Each variant
The ShadowPad backdoor is a modular platform that can be used to download and execute arbitrary code on the infected system, create processes, and maintain a virtual file system in the registry,
The remote access capability implemented for the ShadowPad backdoor includes a domain generation algorithm (DGA) for C&C servers which changes every month.
Experts noticed that the three malware
The Inner-Loader observed in recent attacks looks for the sqlserv.exe process associated with Microsoft SQL Server, then it injects a payload into this process via the sqllang.dll, giving the malware the ability to hook multiple logging and authentication functions.
“The functions targeted by skip-2.0 are related to authentication and event logging.” continues the analysis.
“The most interesting function is the first one (CPwdPolicyManager:
Experts pointed out that administrative privileges are required for installing the hooks, this means that skip-2.0 could be delivered only on already compromised MSSQL Servers to achieve persistence.