ESET: New malware implants backdoors into Microsoft SQL Server

ESET researchers have recently discovered new malware written by the hacker organization Winnti Group, which is used to lurk on Microsoft SQL Server (MSSQL) systems. Attackers can use the new malicious tool called skip-2.0 to embed the backdoor into the MSSQL Server 11 and 12, allowing them to connect to any account on the server using a so-called “magic password,” and hide the activity, not found by the security log.

SQL Server 2019

Researcher Mathieu Tartare said: “This backdoor targets MSSQL Server 11 and 12, allowing the attacker to connect stealthily to any MSSQL account by using a magic password – while automatically hiding these connections from the logs. Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain.

Winnti Group, active since at least 2012 and responsible for high-profile supply-chain attacks against the video game and software industry. Kaspersky found the hacker’s Winnti Trojan horse on a large number of infected game systems. The Trojan was spread through a game’s official update server. After analyzing the new backdoor, ESET researchers also found that skip-2.0 has some features in common with other Winnti Group malware, especially PortReuse backdoors and ShadowPad backdoors.

Once implanted in the MSSQL server, the skip-2.0 backdoor will continue to inject its malicious code into the sqlserv.exe process via sqllang.dll, and use the hook to log the authentication. This allows malware to bypass the server’s built-in authentication mechanism so that even if the attacker’s account password does not match, they are allowed to log in.

Researcher wrote:

“CSECAuthenticate::AuthenticateLoginIdentity will be called from within its hook code but the hook will always return 0. The ReportLoginSucess and IssueLoginSuccessReport hooks will not call the original functions if the magic password was used to log in. The same behavior is applied to FEExecuteLogonTriggers.”

“skip-2.0 against multiple MSSQL Server versions and found that we were able to login successfully using the special password with MSSQL Server 11 and 12. “