Shulou(Shulou.com)05/31 Report--

This article mainly shows you the "Winnti hacker organization MSSQL backdoor example analysis", the content is easy to understand, clear, hope to help you solve your doubts, the following let the editor lead you to study and study the "Winnti hacker organization MSSQL backdoor example analysis" this article.

Researchers at ESET have been tracking Winnti's activities for some time, and the group has been active since 2012, attacking the supply chain of the video games and software industries. Recently, a previously unrecorded backdoor was discovered, targeting Microsoft SQL (MSSQL). This backdoor has many similarities to the PortReuse backdoor, another tool used by Winnti Group, which was first recorded in October 2019.

A new backdoor sample was detected this year, skip-2.0, the author is a member of the winnti group. This backdoor targeting MSSQL servers 11 and 12 allows attackers to connect to any MSSQL account with a magic password while automatically hiding those connections in the log. The backdoor allows attackers to copy, modify, or delete the contents of the database, which can be used to manipulate currencies in the game for economic gain. It is understood that skip-2.0 is the first public record of the mssql server backdoor.

This article will focus on the technical details and functions of the mssql server backdoor, as well as the technical similarities between skip.2-0 and winnti's known weapons libraries, especially portreuse backdoors and shadowpad.

Vmprotected startup program

We found skip-2.0 when looking for the vmprotected launcher, whose payload is usually portreuse or shadowpad.

Embedded payload

Like the encrypted portreuse and shadowpad payloads, skip-2.0 is embedded in the vmprotected launcher, as shown in figure 1:

Encrypt

Payload encryption is the same as used in other vmprotected launchers. It is RC5 encrypted, and the key comes from volumeID and the string f@ukd! RCTO R$.

Persistence

As with portreuse and shadowpad, the launcher may persist by exploiting dll hijacking by installing it at c:\ windows\ system32\ tsvipsrv.dll. This will cause the standard Windows SessionEnv service to load DLL when the system starts.

Baler

Once decrypted, the embedded payload is actually a custom wrapper for winnti group. This Packer is the same as the code we recorded in the white paper. It is used to package the portreuse back door and the load embedded in the damaged video game.

Configuration

The Packer configuration contains the decryption key of the packaged binary file and its original file name, size, and execution type (exe or dll). The payload configuration is shown in Table 1.

As can be seen from the baler configuration, the payload is called the internal loader. The internal loader is the name of an injector that is part of the winnti group's arsenal and is used to inject portreuse backdoors into processes that listen on specific ports.

Internal loader

This is a variant of the internal loader, not looking for a process listening on a specific port as you did when you injected the portreuse backdoor, but looking for a process called sqlserv.exe, which is the regular process name of mssql server. If found, the internal loader injects the payload into the process. This payload is also packaged with a custom wrapper, which is configured as shown in Table 2.

The original file name for this injection payload is skip-2.0.dll.

Skip-2.0

After being injected and started by the internal loader, skip-2.0 first checks to see if it is executed in the sqlserv.exe process, and if so, retrieves the handle of sqllang.dll, which is loaded by sqlserv.exe. Then continue to find and hook multiple functions from the dll. Figure 2 depicts the operation of skip-2.0.

Hooking sqllang.dll

The hook process used by skip-2.0 is very similar to netagent, where netagent is the portreuse module responsible for installing the network hook. This hook library is based on the distorm open source disassembler, which is used by several open source hook frameworks. A disassembly library is required to correctly calculate the size of the instruction to be hook. As you can see in the following figure, NetAgent and Skip-2.0 use almost the same hook process.

Figure 3Hex-Rays output comparison between the NetAgent (left) and skip-2.0 (right) hooking procedures

A significant difference is that the address of the hook to be installed by the hooking function in skip-2.0 is taken as an argument, while for netagent, the address of the hook to be installed is hard-coded. This is because skip-2.0 must have multiple functions in hooksqllang.dll to function properly, while netagent only targets one function.

To locate each sqllang.dll function of hook, skip-2.0 first retrieves the size (that is, its virtual size) of the dll loaded into memory by parsing the pe header. Then initialize the byte array in sqllang.dll to match, as shown in figure 4. Once the address of the first match to the byte array is found, the hook is installed using the procedure shown in figure 3.

The hook is then recorded in cleartext after successful installation, and the file is located in the hard-coded path c:\ windows\ temp\ ts\ u 2ce1.tmp, as shown in figure 5.

If the target function is not found, the hook installer searches for fallback functions with different sets of byte patterns.

By matching byte sequences to locate the address of the target function instead of using static offsets, coupled with the use of byte fallback sequences, skip-2.0 can be more flexible to adapt to mssql updates and can be updated for multiple sqllang.dll.

Password control

The objective function of skip-2.0 is related to authentication and event logging. Target features include:

CPwdPolicyManager::ValidatePwdForLoginCSECAuthenticate::AuthenticateLoginIdentityReportLoginSuccessIssueLoginSuccessReportFExecuteLogonTriggersXeSqlPkg::sql_statement_completed::PublishXeSqlPkg::sql_batch_completed::PublishSecAuditPkg::audit_event::PublishXeSqlPkg::login::PublishXeSqlPkg::ual_instrument_called::Publish

The most interesting of these is the first function (cpwdpolicymanager::validatepwdforlogin), which is responsible for validating the password provided to a given user.

The hook of this function checks whether the password provided by the user matches the magic password; if so, the original function is not called and the hook returns 0, allowing the connection. Then set a global flag that will be checked by other hook functions responsible for event logging. The corresponding decompilation process is shown in figure 6. When this global flag is set, hook's logging function returns silently without calling its corresponding original function, so the operation is not logged.

If you log in with a magic password, the reportloginsaccess and issueloginsuccessreport hooks will not call the original function. The same behavior applies to feexecutelogontriggers. Other logging features, such as xesqlpkg::sql_completed::publish or xesqlpkg::sql_batch_completed::publish, will also be disabled if the user logs in with a magic password. Several audit events are also disabled, including secauditpkg::audit_event::publish, xesqlpkg::login::publish, and xesqlpkg::uau instrument_called::publish.

This series of hook not only allows an attacker to gain persistent control in the victim's mssql server with a special password, but also disables multiple logs when using that password, so the attacker cannot be detected.

The researchers tested Skip-2.0 on several versions of MSSQL Server and found that they were able to log in successfully using passwords of MSSQL Server 11 and 12. To check whether skip-2.0 is specific to a specific version of sqllang.dll, a yara rule is created, which can be found in the github library.

Contact with Winnti

Skip-2.0 has a lot in common with other tools from winnti. The vmprotected launcher, custom Packer, internal loader, and hook framework are part of the winnti toolset.

The above is all the content of this article "sample Analysis of MSSQL backdoor of Winnti Hacker Organization". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.