New malware created by Chinese-backed Winnti Group has been discovered by researchers at ESET while being used to gain persistence on Microsoft SQL Server (MSSQL) systems.

The new malicious tool dubbed skip-2.0 can be used by the attackers to backdoor MSSQL Server 11 and 12 servers, enabling them to connect to any account on the server using a so-called “magic password” and hide their activity from the security logs.

“This backdoor allows the attacker not only to gain persistence in the victim’s MSSQL Server through the use of a special password, but also to remain undetected thanks to the multiple log and event publishing mechanisms that are disabled when that password is used,” says ESET researcher Mathieu Tartare.

Winnti Group’s arsenal is growing

The Winnti Group is an umbrella term used as the name of a collective of Chinese state-backed hacking groups (tracked as Blackfly and Suckfly by Symantec, Wicked Panda by CrowdStrike, BARIUM by Microsoft, APT41 by FireEye) sharing the same malicious tools that have been in use since around 2011.

That is when Kaspersky found the hackers’ Winnti Trojan on a large number of compromised gaming systems after it got delivered via a game’s official update server.

After analyzing the new backdoor, ESET’s researchers have also discovered that skip-2.0 shares some traits with other Winnti Group malware, “in particular, with the PortReuse and ShadowPad backdoors.”

Winnti Group artefacts and TTPs
Winnti Group artifacts and TTPs (ESET)

PortReuse, a modular Windows backdoor, was used by the Winnti hackers in an attack targeting the servers of a high-profile Asian mobile software and hardware manufacturer.

Also, PortReuse is “a network implant that injects itself into a process that is already listening on a network port and waits for an incoming magic packet to trigger the malicious code.”

ShadowPad is another Winnti backdoor used by the group as part of a supply chain attack from 2017 that impacted NetSarang, a Soth Korean maker of network connectivity solutions, when the hacking group successfully infected the company’s server management software with the backdoor.

All three backdoors use the same VMProtected launcher and the group’s custom malware packer and, to top it all off, also share multiple other similarities with several other tools associated with the threat group’s past operations.

MSSQL Server 11 and 12 under attack

Once dropped on an already compromised MSSQL server, the skip-2.0 backdoor proceeds to inject its malicious code within the sqlserv.exe process via the sqllang.dll, hooking multiple functions used for logging an authentication.

This allows the malware to bypass the server’s built-in authentication mechanism and thus allow its operators to log in even though the account password they entered does not match.

“This function’s hook checks whether the password provided by the user matches the magic password, in that case, the original function will not be called and the hook will return 0, allowing the connection even though the correct password was not provided,” says ESET.

“We tested skip-2.0 against multiple MSSQL Server versions and found that we were able to log in successfully using the special password only with MSSQL Server 11 and 12,” Tartare adds.

skip-2.0 injection
skip-2.0 injection (ESET)

While MSSQL Server 11 and 12 are not the most recently released versions — they were released in 2012 and 2014 — they are the most common ones according to data ESET’s researchers got from Censys.

“The skip-2.0 backdoor is an interesting addition to the Winnti Group’s arsenal, sharing a great deal of similarities with the group’s already known toolset, and allowing the attacker to achieve persistence on an MSSQL Server,” ESET’s research team concludes.

“Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness.”