Cybersecurity researchers claim to have learned a earlier undocumented backdoor specially designed for Microsoft SQL servers that could allow for a remote attacker to management an currently compromised method stealthily.
Dubbed Skip-2., the backdoor malware is a write-up-exploitation tool that runs in the memory and allows distant attackers connect to any account on the server functioning MSSQL edition 11 and version 12 by applying a “magic password.”
What is far more? The malware manages to continue to be undetected on the victim’s MSSQL Server by disabling the compromised machine’s logging features, party publishing, and audit mechanisms every single time the “magic password” is applied.
With these capabilities, an attacker can stealthily duplicate, modify, or delete the articles saved in a database, the effect of which varies from software to software integrated with targeted servers.
“This could be used, for instance, to manipulate in-recreation currencies for financial achieve. In-match forex database manipulations by Winnti operators have previously been claimed,” scientists claimed.
Chinese Hackers Made Microsoft SQL Server Backdoor
In its latest report printed by cybersecurity agency ESET, scientists attributed the Skip-2. backdoor to a Chinese state-sponsored threat actor group identified as Winnti Team, as the malware incorporates several similarities to other known Winnti Group tools—in unique, PortReuse backdoor and ShadowPad.
To start with documented by ESET before this thirty day period, PortReuse backdoor is a passive network implant for Home windows that injects by itself into a managing process already listening on a TCP port, “reusing” an already open port, and waits for an incoming magic packet to set off the destructive code.
To start with viewed in the course of the offer-chain assault from software maker NetSarang in July 2017, ShadowPad is a Windows backdoor that attackers deploy on victim networks to acquire versatile distant control capabilities.
Like other Winnti Group payloads, Skip-2. also uses encrypted VMProtected launcher, personalized packer, interior-loader injector and hooking framework to install the backdoor, and persists on the specific process by exploiting a DLL hijacking vulnerability in a Windows approach that belongs to a system startup assistance.
Considering that the Skip-2. malware is a post-exploitation software, an attacker initially requirements to compromise specific MSSQL servers to have administrative privileges needed to achieve persistence and stealthiness.
“Note that even although MSSQL Server 11 and 12 are not the most new variations (introduced in 2012 and 2014, respectively), they are the most commonly made use of kinds in accordance to Censys’s facts,” the scientists said.