Home Technology Detect Blacklink Microsoft SQL Server malware

Detect Blacklink Microsoft SQL Server malware

by Thạch Phạm

Cybersecurity researchers recently announced the discovery of an undocumented backdoor specifically designed for Microsoft SQL servers that could allow remote attacks to take control of an already compromised system stealthy way called Skip-2.0.

Blacklink software Microsoft SQL Server are an in-memory post-exploit that allows remote attackers to connect to any account running on version 11 and version 12 MSSQL servers using a “magic password”.

In order for the victim not to detect this software on the MSSQL server, this Blacklink Microsoft SQL Server software penetrated by disabling the compromised machine’s logging functions, event publishing, and auditing mechanisms every time you use the “ghost password”

Thanks to this software, an attacker can stealthily copy, modify or delete the content stored in the database. This impact varies from application to application integrated with the targeted servers.

The researchers also said that it could be used for many different purposes, such as manipulating game currency for financial gain or manipulating the Winnti game currency database.

Recently, in the latest report published by cybersecurity firm ESET, researchers reattached the Skip-2.0 back-Skip to a group of Chinese state-owned threat actors called the Winnti Group because the Malware contains many similarities with other well-known tools of the Winnti team, especially backReuse and Portugal.

Blacklink Microsoft SQL Skip-2.0 Launch Process

Like other Winnti corporation payloads, Skip-2.0 also uses the encrypted VMProyected launcher, custom packer, internal loader, and hook bracket to install the backdoor and remain on the system was targeted by exploiting DLL (Dynamic Link Library) vulnerabilities in a Windows process belonging to the system startup service.

Since the Skip-2.0 malware is an exploit, attackers need to compromise the targeted MSSQL servers to obtain the administrative privileges needed for the attack.

Note: Although MSSQL Server 11 and 12 are not the latest versions, they are the most commonly used versions according to Censys data.

Đánh giá

Bài viết cùng chuyên mục

AZDIGI – Không chỉ là đơn vị hàng đầu trong lĩnh vực Web Hosting và Máy chủ, chúng tôi mong muốn mang lại những kiến thức bổ ích nhất và luôn cập nhật thường xuyên cho cộng đồng người đam mê thiết kế website, công nghệ,…

Vui lòng không sao chép nội dung nếu chưa xin phép. Designed and Developed by PenciDesign