The activities of government-sponsored hacker groups can have disastrous consequences. A group of digital forensics experts from ESET has revealed the existence of a new malware developed by Winnti, a hacking group backed by the Chinese government, with the purpose of gaining persistence in a targeted Microsoft SQL Server system.
Identified as skip-2.0, this malware is
capable of blocking Microsoft SQL (MSSQL) Server versions 11 and 12; subsequently,
hackers connect to any account on the server using a “magic word”,
hiding their activity from any security log.
Mathieu Tartare, ESET’s digital forensics
expert, mentioned: “This backdoor
allows threat actors to gain persistence on the victim’s server, in addition to
bypassing detection, as many of the mechanisms of activity logging in the
system are disabled using this special password”.
In fact, Winnti is a generic name that the
cybersecurity community uses to refer to at least five different groups of Chinese-sponsored
hackers. These threat actors have been using a similar set of tools for at
least eight years, when a group of experts from Kaspersky Lab detected a Trojan
identified as Winnti present on some online video game servers.
ESET’s digital forensics experts also mentioned
that the skip-2.0 malware bears some similarities to PortReuse and ShadowPad,
two backdoors previously used by Winnti. In previous cyberattack campaigns, these
backdoors were used to infect the servers of a major mobile software and
hardware manufacturer.
Skip-2.0 attack
process
When the malicious payload is dropped to the
compromised MSSQL server, the backdoor begins injecting the malicious code into
the sqlserv.exe process using sqllang.dll, which involves some functions used
to register an authentication. In this way, the malware bypasses the MSSQL
server authentication mechanism, allowing threat actors to login, regardless of
whether the password for the entered account is not correct.
“The hook in this function is responsible
for checking if the password provided by the user matches the hacker’s
“magic word”; in that case, the original function will not be called
and the hook will return a value of ‘0’, allowing the connection without using
the actual password,” the experts added.
ESET experts tested the attack on various
versions of the server, finding that it only works successfully on versions 11
and 12. According to digital forensics specialists from the International Institute
of Cyber Security (IICS), although these MSSQL server versions were released
almost 6 years ago, their use remains very common, so a large number of
sysadmins could be exposed to infection.
In conclusion, the ESET report believes that
due to its features and the benefits it provides, Winnti hackers could start
large-scale infection campaigns using this malware. The only negative aspect to
this new attack is that administrator privileges are required to get it concrete,
so hackers still need to devise a first stage of attack before using skip-2.0
malware.
