Winnti Group: In the recent past, Microsoft SQL servers have come under threat of an undocumented backdoor that allows a compromised system to be controlled by a remote attacker. The backdoor malware called Skip-2.0 is a post-exploitation tool that allows servers running on MMSQL version 11 and 12 by using what cybersecurity experts call “magic password”.
The malware runs in the memory and provides leeway to remote attackers such that they can connect to any MSSQL server account. Not only this, the malware takes control of the MSSQL server by disabling all activities pertaining to logging functions, event publishing and audit mechanisms. This would happen every time the “magic password” is used. During this time it would be impossible to detect the malware carrying out such activities.
Image Source: itprotoday.com
These activities would allow an attacker to copy, change or delete the content in a specific database. This obviously varies from one application to another. Researchers have claimed that such activities could be used to make changes to in-game currencies for monetary profit. There have been reports of database changes within in-game currencies already.
The malware identified as a Chinese state sponsor threat actor called Winnti group has many other similarities to other Winnti group tools too. Brought to the news by ESET, Winnti group tools such as PortReuse attacks a process already present on a TCP port by taking advantage of an open port. The deadly codes then set off to action while waiting for an incoming magic packet.
Image Source: welivesecurity.com
The malware was first noticed during the supply chain-attack against software creator Netsarang in July 2017. The other Winnti group tool Shadow Pad gains remote control of a server.
Source: The Hacker News
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.