Threat Management, Malware

Skip-2.0 backdoor malware provides ‘magic password’ to access MSSQL accounts

Researchers today revealed their discovery of what they believe to be the first publicly documented case of a backdoor targeting Microsoft SQL Server (MSSQL) databases – attributing the malware to the threat actor Winnti Group.

Dubbed "skip-2.0," the malware is installed in memory and provides attackers with a "magic password" that allows them to connect to any MSSQL account running MSSQL Server version 11 or 12. Moreover, it hides evidence of its existence by essentially disabling the compromised machine's logging, event publishing and audit capabilities.

Armed with such abilities, the attackers can then copy, modify or delete a database's content, warns ESET in an Oct. 21 company blog post detailing the threat. However, skip-2.0 is a post-exploitation tool, meaning that MSSQL servers must already be compromised for the attackers to have the admin privileges necessary to achieve persistence.

ESET has linked the threat to the Winnti Group. Also known as APT 41, Axiom and Blackfly, the reputed Chinese APT actor has historically been tied to a number of prominent supply chain attacks that replace companies' legitimate software with weaponized versions in order to infect the machines that install them.

Winnti's members have often targeted game developers and their users, inserting backdoors into various games' build environments. ESET believes one potential use of skip-2.0 is to manipulate the databases of in-game currencies for their own financial gain – something Winnti has been known to try before.

ESET has tied skip-2.0 to other Winnti Group malware programs, finding similarities in the tools it uses to launch and execute, including the threat actor's "VMProtected" launcher, its custom packer and its "Inner-Loader" injector. The backdoor also uses the same hooking procedure as seen in past Winnti malware operations.

"The skip-2.0 backdoor is an interesting addition to the Winnti Group’s arsenal, sharing a great deal of similarities with the group's already known toolset, and allowing the attacker to achieve persistence on an MSSQL Server," explains Mathieu Tartare, ESET researcher in the blog post he authored.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.