“Winnti”, a Chinese hacking group, used a new malware called Skip 2.0 in order to access Microsoft SQL (MSSQL) Servers. This group was infamous for making targeted attacks to Gaming studios and IT companies since 2012.
Malware installing itself in the memory
Security researchers from IT Security firm Eset discovered a new malware installing itself in the memory. At the beginning of 2019, Eset received a sample of this new backdoor and they called it Skip 2.0. This was a backdoor targeting malware using Microsoft SQL (MSSQL)’s undocumented calls.
This backdoor was very similar to another, namely the PortReuse. This was another tool Winnti Group had used in the past cluing the Eset researchers that this backdoor is linked to them. According to Eset researchers, skip-2.0 is the first MSSQL Server backdoor to be documented publicly.
“We observed multiple similarities between skip-2.0 and other tools from the Winnti Group’s arsenal. Its VMProtected launcher, custom packer, Inner-Loader injector, and hooking framework are part of the already known toolset of the Winnti Group. This leads us to think that skip-2.0 is also part of that toolset,”
Eset said in a statement.
Attackers use a magic password
By providing attackers with a magic password, it allows attackers to reach any MSSQL account running MSSQL Server version 11 or 12. According to Censys’s data, even though MSSQL Server 11 and 12 are not the most recent versions, they are the most commonly used ones in the IT world.
While connecting any MSSQL account by using a magic password, the attackers automatically hide these connections from the logs. Moreover, it allows you to copy, modify or delete database content. The IT security firm summarized the backdoor:
The skip-2.0 backdoor is an interesting addition to the Winnti Group’s arsenal, sharing many similarities with the group’s already known toolset, and allowing the attacker to achieve persistence on an MSSQL Server. Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness.