{"id":5644,"date":"2019-11-16T14:55:52","date_gmt":"2019-11-16T06:55:52","guid":{"rendered":"https:\/\/version-2.com\/?p=5644"},"modified":"2020-11-04T13:23:12","modified_gmt":"2020-11-04T05:23:12","slug":"winnti-groups-skip%e2%80%912-0-a-microsoft-sql-server-backdoor","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2019\/11\/winnti-groups-skip%e2%80%912-0-a-microsoft-sql-server-backdoor\/","title":{"rendered":"Winnti Group\u2019s skip\u20112.0: A Microsoft SQL Server backdoor"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Notorious cyberespionage group debases MSSQL<\/p>

For a while, ESET researchers have been tracking the activities of the Winnti Group, active since at least 2012 and responsible for high-profile supply-chain attacks against the video game and software industry<\/a>. Recently, we discovered a previously undocumented backdoor targeting Microsoft SQL (MSSQL) that allows attackers to maintain a very discreet foothold inside compromised organizations. This backdoor bears multiple similarities to the PortReuse<\/em> backdoor, another tool used by the Winnti Group that was first documented by ESET in October 2019<\/a>, such as the use of the same custom packer and VMProtected launcher, which is why we attribute this backdoor to the Winnti Group.<\/p>

Earlier this year, we received a sample of this new backdoor called skip-2.0<\/em> by its authors and part of the Winnti Group\u2019s arsenal. This backdoor targets MSSQL Server 11 and 12, allowing the attacker to connect stealthily to any MSSQL account by using a magic password \u2013 while automatically hiding these connections from the logs. Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain. In-game currency database manipulations by Winnti operators have already been reported<\/a>. To the best of our knowledge, skip-2.0<\/em> is the first MSSQL Server backdoor to be documented publicly. Note that even though MSSQL Server 11 and 12 are not the most recent versions (released in 2012 and 2014, respectively), they are the most commonly used ones according to Censys\u2019<\/a>s data.<\/p>

We recently published a white paper<\/a> updating our understanding of the arsenal of the Winnti Group, and that exposed a previously undocumented backdoor of theirs called PortReuse.<\/em> It uses an identical packer to that used with the payload embedded in compromised video games uncovered by ESET in March 2019<\/a>. The VMProtected launcher that drops the PortReuse<\/em> backdoor was also found being used to launch recent ShadowPad<\/em> versions. In that context, we were able to find a new tool called skip.2-0<\/em> by its developer. It uses the same VMProtected launcher as well as Winnti Group\u2019s custom packer and exhibits multiple similarities with other samples from the Winnti Group\u2019s toolset. This leads us to ascribe skip-2.0 <\/em>to that toolset also.<\/p>

This article will focus on the technical details and functionality of this MSSQL Server backdoor, as well as on exposing the technical similarities of skip.2-0<\/em> with the Winnti Group\u2019s known arsenal \u2013 in particular, with the PortReuse<\/em> backdoor and ShadowPad<\/em>. A note on the reasons why we chose the \u201cWinnti Group\u201d naming can be found on our white paper<\/a>.<\/p>

VMProtected launcher<\/big><\/h2>

We found skip-2.0<\/em> while looking for VMProtected launchers, for which the payload is usually either PortReuse<\/em> or ShadowPad<\/em>.<\/p>

Embedded payload<\/h3>

As with the encrypted PortReuse<\/em> and ShadowPad<\/em> payloads, skip-2.0<\/em> is embedded in the VMProtected launcher\u2019s overlay, as shown in Figure 1:<\/p>

\"\"<\/a><\/p>

Figure 1. VMProtected launcher\u2019s headers. The payload is embedded in the PE overlay.<\/i><\/p>

Encryption<\/h3>

The payload encryption is identical to that used in the other VMProtected launchers. It is RC5-encrypted with a key derived from the VolumeID and the string f@Ukd!rCto\u00a0R$. \u2013 as described in our previous white paper on the Winnti Group arsenal.<\/a><\/p>

Persistence<\/h3>

As in the case of PortReuse<\/em> and ShadowPad<\/em>, the launcher probably persists by exploiting a DLL hijacking vulnerability<\/a> by being installed at C:\\Windows\\System32\\TSVIPSrv.DLL. This results in the DLL being loaded by the standard Windows SessionEnv service at system startup.<\/p>

\u00a0<\/h2>

Winnti Group\u2019s custom packer<\/big><\/h2>

Once decrypted the embedded payload is actually Winnti Group\u2019s custom packer. This packer is the same shellcode that was documented in our previous article<\/a> and white paper<\/a>. It is used to pack the PortReuse<\/em> backdoor as well as the payload embedded in the compromised video games.<\/p>

Packer configuration<\/h3>

As described in our previous article, the packer configuration contains the decryption key of the packed binary as well as its original filename, its size and the execution type (EXE or DLL). The payload\u2019s packer configuration is shown in Table 1.<\/p>

\"Table

Table 1. Payload\u2019s packer configuration<\/em><\/p>

One can see from the packer configuration that the payload is called Inner-Loader<\/em>. Inner-Loader<\/em> is the name of an injector that is the part of the Winnti Group\u2019s arsenal used to inject the PortReuse<\/em> backdoor into processes listening on a particular port, as described in our previous publication<\/a>. Beyond that identical name, by analyzing this payload it appears that it is another variant of the Inner-Loader<\/em> injector.<\/p>

Inner-Loader injector<\/h2>

This variant of Inner-Loader<\/em>, instead of looking for a process listening on a particular port, as in the case when injecting the PortReuse<\/em> backdoor, looks for a process called sqlserv.exe, which is the conventional process name of MSSQL Server. If found, Inner-Loader<\/em> then injects a payload into this process. This payload is also packed with the custom packer \u2013 the packer configuration of that payload is shown in Table 2.<\/p>

\"Table

Table 2. Packer configuration of the payload embedded in Inner-Loader<\/em><\/p>

The original filename of this injected payload is skip-2.0.dll<\/em>.
\u00a0<\/p>

skip-2.0<\/big><\/h2>

After having been injected and launched by Inner-Loader<\/em>, skip-2.<\/em>0 first checks whether it is executing within an sqlserv.exe process and if so, retrieves a handle to sqllang.dll, which is loaded by sqlserv.exe. It then proceeds to find and hook multiple functions from that DLL. Figure 2 depicts the skip-2.0<\/em> chain of compromise.<\/p>

<\/a><\/p>

Figure 2. skip-2.0 unpacking and injection<\/i><\/p>

Hooking sqllang.dll<\/h3>

The hooking procedure used by skip-2.0<\/em> is very similar to the one used by NetAgent<\/em>, the PortReuse<\/em> module responsible for installing the networking hook. This hooking library is based on the distorm<\/a> open source disassembler that is used by multiple open source hooking frameworks. In particular, a disassembling library is needed to correctly compute the size of the instructions to be hooked. One can see in Figure 3 that the hooking procedure used by NetAgent<\/em> and skip-2.0<\/em> are almost identical.<\/p>

<\/a><\/p>

Figure 3. Hex-Rays output comparison between the NetAgent (left) and skip-2.0 (right) hooking procedures<\/i><\/p>

There is one notable difference, which is the fact that the hooking function from skip-2.0<\/em> takes the address of the hook to be installed as an argument, while for NetAgent<\/em>, the address of the hook to install is hardcoded. This is due to the fact that skip-2.0<\/em> has to hook multiple functions in sqllang.dll to operate properly, while NetAgent<\/em> targets only a single function.<\/p>

To locate each sqllang.dll function to be hooked, skip-2.0<\/em> first retrieves the size of the DLL once loaded in memory (i.e. its virtual size) by parsing its PE headers. Then an array of bytes to be matched within sqllang.dll is initialized as shown in Figure 4. Once the address of the first occurrence matching the byte array is found, the hook is installed using the procedure shown in Figure 3.<\/p>

\"\"<\/a><\/p>

Figure 4. Hex-Rays output of the procedure initializing the byte array to match in<\/i> sqllang.dll<\/p>

The success of the hook installation is then logged in cleartext in a log file located at the hardcoded path C:\\Windows\\Temp\\TS_2CE1.tmp and shown in Figure 5.<\/p>

\"\"<\/a><\/p>

Figure 5. Log generated during hooks installation<\/i><\/p>

Should the targeted function not be found, the hook installer searches for a fallback function, with a different set of byte patterns.<\/p>

Matching a sequence of bytes to locate the address of the targeted function instead of using a static offset, plus using a fallback sequence of bytes, allows skip-2.0 <\/em>to be more resilient to MSSQL updates and to potentially target multiple sqllang.dll updates.<\/p>

One password to rule them all<\/h3>

The functions targeted by skip-2.0<\/em> are related to authentication and event logging. The targeted functions include:<\/p>