New malware created by Chinese-backed Winnti Group has been discovered by researchers at ESET while being used to gain persistence on Microsoft SQL Server (MSSQL) systems.
The new malicious code skip-2.0 can be used by the attackers to backdoor MSSQL Server 11 and 12 servers, enabling them to get access any account on the server using a so-called “magic password” and hide their activity from the security logs.
“This backdoor allows the attacker not only to gain persistence in the victim’s MSSQL Server through the use of a special password but also to remain undetected thanks to the multiple log and event publishing mechanisms that are disabled when that password is used,” says ESET researcher Mathieu Tartare.
How MSSQL Server 11 and 12 under attack
Once dropped on an already compromised MSSQL server, the skip-2.0 backdoor proceeds to inject its malicious code within the sqlserv.exe process via the sqllang.dll, hooking multiple functions used for logging an authentication.
This allows the malware to bypass the server’s built-in authentication mechanism and thus allow its operators to log in even though the account password they entered does not match.
“This function’s hook checks whether the password provided by the user matches the magic password, in that case, the original function will not be called and the hook will return 0, allowing the connection even though the correct password was not provided,” says ESET.