The Skip-2.0 malware is a dangerous threat which is being launched by a hacking group known as Winnti. These hackers are referred to as a mega-collective as several smaller hacking groups use this name to identify themselves. The criminals are using a malware called Skip-2.0 in order to intrude onto Microsoft SQL Servers which power databases of companies and groups.
Microsoft SQL Servers Attacked By Winnti Hackers With Skip-2.0 Malware
A security report shows that a new global attack is being launched by the infamous Winnti hacking group. This is an “umbrella group” which means that several smaller criminal factions use it to identify themselves with it. The group is using a specially made threat in order to infect the target hosts. The Skip-2.0 malware which is the main threat in question is designed to create a backdoor in any installed Microsoft SQL server instances. The technique in question relies on a vulnerability in the server hosts in which malware connections can access the stored data using a “magic password string”. This is a type of backdoor that relies upon a software issue in the applications, specifically versions 11 and 12.
Related: CVE-2017-11882: Agent Tesla Malware Leverages Phishing Techniques
When compared to previous tools used by the hackers the security researchers note that there are several similarities to previous tools used by the hackers. A modular approach has been used in order to build the dangerous tool — this means that many of the associated modules can be used in this attack as well. One of the tools in question is called PortReuse and it is a network hacking tool that is known to have several different versions. It can probe services running on different ports including web servers, remote desktop clients and etc. Some of the capabilities that are available in it are probably also available in the Skip-2.0 malware:
- Files Download and Execution — The malware engine can be programmed to retrieve and execute files from a hacker-controlled location.
- Process Creation and Hookup — Not only the engine will run in a prescribed manner, but it can also hookup to other running apps and services and thereby hijack information and the actions run by the users.
- Remote Trojan Connection — One of the main goals of such threats is to establish a secure connection to a hacker-controlled server. Such a connection will allow the remote attackers to take over control of the infected computers, spy on the victims and install other threats.
A several-stage infection makes it possible for the malware engine and all associated modules to bypass some of the security countermeasures that are in place. The researchers note that the Skip-2.0 requires administrative privileges in order to run meaning that the target Microsoft SQL Servers need to be hacked by other means before it can be deployed.