Chinese hackers could install backdoors on Microsoft SQL 11 and 12 servers using a “magic word”

The activities of government-sponsored hacker groups can have disastrous consequences. A group of digital forensics experts from ESET has revealed the existence of a new malware developed by Winnti, a hacking group backed by the Chinese government, with the purpose of gaining persistence in a targeted Microsoft SQL Server system.

Identified as skip-2.0, this malware is capable of blocking Microsoft SQL (MSSQL) Server versions 11 and 12; subsequently, hackers connect to any account on the server using a “magic word”, hiding their activity from any security log.

Mathieu Tartare, ESET’s digital forensics expert, mentioned: “This backdoor allows threat actors to gain persistence on the victim’s server, in addition to bypassing detection, as many of the mechanisms of activity logging in the system are disabled using this special password”.

In fact, Winnti is a generic name that the cybersecurity community uses to refer to at least five different groups of Chinese-sponsored hackers. These threat actors have been using a similar set of tools for at least eight years, when a group of experts from Kaspersky Lab detected a Trojan identified as Winnti present on some online video game servers.

ESET’s digital forensics experts also mentioned that the skip-2.0 malware bears some similarities to PortReuse and ShadowPad, two backdoors previously used by Winnti. In previous cyberattack campaigns, these backdoors were used to infect the servers of a major mobile software and hardware manufacturer.

Skip-2.0 attack process

When the malicious payload is dropped to the compromised MSSQL server, the backdoor begins injecting the malicious code into the sqlserv.exe process using sqllang.dll, which involves some functions used to register an authentication. In this way, the malware bypasses the MSSQL server authentication mechanism, allowing threat actors to login, regardless of whether the password for the entered account is not correct.

“The hook in this function is responsible for checking if the password provided by the user matches the hacker’s “magic word”; in that case, the original function will not be called and the hook will return a value of ‘0’, allowing the connection without using the actual password,” the experts added.

ESET experts tested the attack on various versions of the server, finding that it only works successfully on versions 11 and 12. According to digital forensics specialists from the International Institute of Cyber Security (IICS), although these MSSQL server versions were released almost 6 years ago, their use remains very common, so a large number of sysadmins could be exposed to infection.

In conclusion, the ESET report believes that due to its features and the benefits it provides, Winnti hackers could start large-scale infection campaigns using this malware. The only negative aspect to this new attack is that administrator privileges are required to get it concrete, so hackers still need to devise a first stage of attack before using skip-2.0 malware.