A recently identified backdoor used by the China-linked Winnti hackers and which targets Microsoft SQL (MSSQL) is very stealthy, ESET’s security researchers say.
Active since at least 2009, the group has been observed targeting industries such as aviation, gaming, pharmaceuticals, technology, telecommunication, and software development, for cyber-espionage purposes.
The newly detailed malware, ESET says, allows the attackers to maintain a very discreet foothold within a compromised environment, and features many similarities with PortReuse, a backdoor that ESET exposed last week.
Designed to target MSSQL Server 11 and 12 — the most commonly used versions, despite being deployed over five years ago — the backdoor is called skip-2.0 by its authors and can maintain a stealthy connection to any MSSQL account by using a magic password, in addition to hiding the connection from logs.
“Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain,” the security researchers explain.
skip-2.0 was linked to the Winnti Group through the use of the same VMProtected launcher that drops the PortReuse backdoor and the use of the hackers’ custom packer, as well as through various similarities with other samples from the adversary’s toolset.
The security researchers believe that the launcher persists by exploiting a DLL hijacking vulnerability where the malicious library is being loaded by the standard SessionEnv service at startup, the same as with PortReuse and ShadowPad, another piece of malware associated with the Winnti cyber-spies.
Inner-Loader, an injector already associated with the Winnti Gro ..
Support the originator by clicking the read the rest link below.
