Deadly Malware Hooking On To MMSQL Server Disabling Remote Functions


Winnti Group: In the recent past, Microsoft SQL servers have come under threat of an undocumented backdoor that allows a compromised system to be controlled by a remote attacker. The backdoor malware called Skip-2.0 is a post-exploitation tool that allows servers running on MMSQL version 11 and 12 by using what cybersecurity experts call “magic password”.

The malware runs in the memory and provides leeway to remote attackers such that they can connect to any MSSQL server account. Not only this, the malware takes control of the MSSQL server by disabling all activities pertaining to logging functions, event publishing and audit mechanisms. This would happen every time the “magic password” is used. During this time it would be impossible to detect the malware carrying out such activities.

Image Source:

These activities would allow an attacker to copy, change or delete the content in a specific database. This obviously varies from one application to another. Researchers have claimed that such activities could be used to make changes to in-game currencies for monetary profit. There have been reports of database changes within in-game currencies already.

The malware identified as a Chinese state sponsor threat actor called Winnti group has many other similarities to other Winnti group tools too. Brought to the news by ESET, Winnti group tools such as PortReuse attacks a process already present on a TCP port by taking advantage of an open port. The deadly codes then set off to action while waiting for an incoming magic packet.

Image Source:

The malware was first noticed during the supply chain-attack against software creator Netsarang in July 2017. The other Winnti group tool Shadow Pad gains remote control of a server.

Source: The Hacker News

Disclaimer: does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.

Tags: #Darknet #.onion_Sites_Links #Deep_Web_Links_and_Web_Sites #Dark_Web_Links_Hidden_Wiki #Dark_net_Links


Please enter your comment!
Please enter your name here