ESET specialists discovered a new tool that created Chinese hackers from the Winnti group and that was designed to make changes to Microsoft SQL Server (MSSQL) databases in order to create a backdoor.As an added benefit, a backdoor hides sessions in database connection logs every time hackers use a “magic password”, which helps attackers go unnoticed.
“Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain. In-game currency database manipulations by Winnti operators have already been reported”, — write ESET specialists.
The tool is called skip-2.0 and is intended to modify the MSSQL functions that are responsible for authentication processing. Attackers deploy a backdoor after compromising their goals in other ways, as hooks installation requires administrative privileges. In fact, the tool is used to increase stealth and create a sustainable presence.
The basic idea behind skip-2.0 is to create the aforementioned “magic password”. If such a password is entered in any authentication session, the user is automatically granted access; while the usual logging and audit functions do not work, it results in a ghostly session that is not noted anywhere.
According to experts, skip-2.0 only works with MSSQL servers versions 12 and 11. Although MSSQL Server 12 was released back in 2014, according to Censys, this version is the most frequently used.
During the analysis of the skip-2.0 code, experts found evidence that connects it with other Winnti tools, in particular with the PortReuse and ShadowPad backdoors. PortReuse is a backdoor for IIS servers discovered by ESET in compromised networks of hardware and software suppliers in South Asia at the beginning of this year. ShadowPad is a backdoor Trojan for Windows, first seen inside applications created by South Korean software maker NetSarang when Chinese hackers broke into its infrastructure in mid-2017.
Similar manipulations with in-game currencies were already reported at the beginning of this year, and FireEye specialists later associated these attacks with APT41.
The skip-2.0 backdoor is an interesting addition to the Winnti Group’s arsenal, sharing a great deal of similarities with the group’s already known toolset, and allowing the attacker to achieve persistence on an MSSQL Server. Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness.