ESET researchers recently discovered written hackers Winnti Group new malware, the malicious software used in Microsoft SQL Server (MSSQL) system entrenched.
An attacker can take advantage of new malicious tool called skip-2.0 will backdoor to MSSQL Server 11 and 12 servers, so that they can use so-called "magic password" (magic password) to connect to any account on the server, and hide activity, not to be found in the security log.
ESET researcher Mathieu Tartare, said: "The back door of the attacker not only by using a special password, hidden down in the MSSQL Server victims, but also because after using the password to disable the multiple log and event publishing mechanism, can not be detected come out."
Winnti Group increasingly large arsenal
Winnti Group is a general term that refers to the hacker organization (Symantec tracked Blackfly and Suckfly, CrowdStrike tracking Wicked Panda, Microsoft and FireEye tracked BARIUM tracking APT41), since these hackers share since 2011 years ago in the same batch of malicious use of tools.
Kaspersky found the hacker's Trojan horse in the game Winnti a large number of systems infected, this Trojan to spread through the official update server of a game.
After ESET's researchers analyzed the new back door, also found that skip-2.0 Winnti Group and other malicious software, "especially PortReuse ShadowPad back door and back door" share certain characteristics.
Winnti Group's methods of attack and TTP (ESET)
WinReti hacker had a leading mobile software and hardware manufacturers in Asia attacked server, this time using a modular Windows PortReuse back door in the attack.
In addition, PortReuse or "A network implantation procedure, it will inject themselves into the network port is already in the process of listening, waiting for inbound packets hidden trigger malicious code."
ShadowPad是该组织使用的另一个Winnti后门,曾在2017年用来发动攻击供应链,那次攻击影响了韩国网络连接解决方案制造商NetSarang,当时这个黑客组织成功地用后门感染了该公司的服务器管理软件。
这三个后门都使用同样的VMProtected启动器和该组织自行编写的恶意软件打包程序,而最重要的是,还跟与该威胁组织过去的攻击行动有关的另外几个工具有另外诸多相似之处。
MSSQL Server 11和12受到攻击
一旦植入到已经中招的MSSQL服务器上,skip-2.0后门会继续通过sqllang.dll将其恶意代码注入到sqlserv.exe进程中,通过钩子(hook)把用于将身份验证记入日志的多个函数关联起来。
这让恶意软件得以绕过服务器的内置身份验证机制,那样一来,即使攻击者输入的帐户密码不匹配,也允许他们登录进去。
ESET说:“该函数的钩子(hook)检查用户提供的密码是否与魔法密码匹配,在这种情况下,原始函数不会被调用,钩子会返回0,即使没有提供正确的密码也允许连接。”
Tartare补充道:“我们针对多个MSSQL Server版本测试了skip-2.0,结果发现只有MSSQL Server 11和12存在使用特殊密码就能够成功登录这种情况。”
Skip-2.0注入(ESET)
据ESET的研究人员从Censys获得的数据显示,虽然MSSQL Server 11和12不是最近发布的版本(分别在2012和2014年发布),但它们却是最常见的版本。
ESET的研究小组总结道:“skip-2.0后门是Winnti Group武器库中值得关注的新增武器,它与该组织已知臭名昭著的工具集有诸多相似之处,让攻击者得以在MSSQL Server上永久潜伏下来。”
“考虑到安装钩子需要管理员特权,必须在已经中招的MSSQL Server上使用skip-2.0,才能永久潜伏下来,并保持不被察觉。”
来源:云头条