Cybersecurity researchers recently announced the discovery of an undocumented backdoor specifically designed for Microsoft SQL servers that could allow remote attacks to take control of an already compromised system stealthy way called Skip-2.0.
Blacklink software Microsoft SQL Server are an in-memory post-exploit that allows remote attackers to connect to any account running on version 11 and version 12 MSSQL servers using a “magic password”.
In order for the victim not to detect this software on the MSSQL server, this Blacklink Microsoft SQL Server software penetrated by disabling the compromised machine’s logging functions, event publishing, and auditing mechanisms every time you use the “ghost password”
Thanks to this software, an attacker can stealthily copy, modify or delete the content stored in the database. This impact varies from application to application integrated with the targeted servers.
The researchers also said that it could be used for many different purposes, such as manipulating game currency for financial gain or manipulating the Winnti game currency database.
Recently, in the latest report published by cybersecurity firm ESET, researchers reattached the Skip-2.0 back-Skip to a group of Chinese state-owned threat actors called the Winnti Group because the Malware contains many similarities with other well-known tools of the Winnti team, especially backReuse and Portugal.
Blacklink Microsoft SQL Skip-2.0 Launch Process
Like other Winnti corporation payloads, Skip-2.0 also uses the encrypted VMProyected launcher, custom packer, internal loader, and hook bracket to install the backdoor and remain on the system was targeted by exploiting DLL (Dynamic Link Library) vulnerabilities in a Windows process belonging to the system startup service.
Since the Skip-2.0 malware is an exploit, attackers need to compromise the targeted MSSQL servers to obtain the administrative privileges needed for the attack.
Note: Although MSSQL Server 11 and 12 are not the latest versions, they are the most commonly used versions according to Censys data.