Skip-2.0 malware provides ‘magic password’ to access MSSQL accounts

Researchers today revealed their discovery of what they believe to be the first publicly documented case of a backdoor targeting Microsoft SQL Server (MSSQL) databases – attributing the malware to the threat actor Winnti Group.

Dubbed “skip-2.0,” the malware is installed in memory and provides attackers with a “magic password” that allows them to connect to any MSSQL account running MSSQL Server version 11 or 12. Moreover, it hides evidence of its existence by essentially disabling the compromised machine’s logging, event publishing and audit capabilities.

Armed with such abilities, the attackers can then copy, modify or delete a database’s content, warns ESET in an Oct. 21 company blog post detailing the threat. However, skip-2.0 is a post-exploitation tool, meaning that MSSQL servers must already be compromised for the attackers to have the admin privileges necessary to achieve persistence.

ESET has linked the threat to the Winnti Group. Also known as APT 41, Axiom and Blackfly, the reputed Chinese APT actor has historically been tied to a number of prominent supply chain attacks that replace companies’ legitimate software with weaponized versions in order to infect the machines that install them.

Winnti’s members have often targeted game developers and their users, inserting backdoors into various games’ build environments. ESET believes one potential use of skip-2.0 is to manipulate the databases of in-game currencies for their own financial gain – something Winnti has been known to try before.

ESET has tied skip-2.0 to other Winnti Group malware programs, finding similarities in the tools it uses to launch and execute, including the threat actor’s “VMProtected” launcher, its custom packer and its “Inner-Loader” injector. The backdoor also uses the same hooking procedure as seen in past Winnti malware operations.

“The skip-2.0 backdoor is an interesting addition to the Winnti Group’s arsenal, sharing a great deal of similarities with the group’s already known toolset, and allowing the attacker to achieve persistence on an MSSQL Server,” explains Mathieu Tartare, ESET researcher in the blog post he authored.

Comments are closed.