Winnti (China): According to research at ESET, a new malware called Skip 2.0 has been linked to the Winnti group, also known as APT41. The malware will create a backdoor that lets threat actors connect to any account using a “magic password.” The backdoor that is created will only work with Microsoft SQL Server (MSSQL) versions 11 and 12. The malware alters the MSSQL databases and deploys the backdoor as a post-infection tool after the network has been compromised through other means. The backdoor alters the functions on MSSQL servers that handle authentication to generate the “magic password.” If successful, the password can then be entered inside any user authentication session and the user is automatically granted access. After permission is granted, the malware prevents the execution of normal logging and audit functions, essentially creating a ghost session for that user. By hiding the session inside in the database connection logs, the “magic password” helps the threat actor remain undetected even if the administrators suspect wrongdoing. Because this backdoor is stealthy, it could allow the actors to copy, steal, or modify the database contents. Winnti has been known in the past for targeting gaming companies; in this instance in-game currency database manipulations could take place, leading to financial gain for the Winnti group. Skip 2.0 has links to other tools previously used by Winnti such as PortReuse and ShadowPad backdoors. Administrative privileges are needed to install Skip 2.0; therefore, the Microsoft SQL Servers must be compromised before this backdoor is utilized.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased