Winnti Hacker Group Uses New Malware to Hack Microsoft SQL Servers cvv2shop, unitvpscom

Winnti hacker group uses a new malware dubbed skip-2.0 to attack Microsoft SQL Servers and to gain persistence access. Winnti group believed to be operating from China and the group active at least from 2012 and responsible for high-profile supply-chain against Gaming studios and Software companies.
ESET Security researchers discovered a new malware strain skip.2-0 along with Winnti Group’s known arsenal. The backdoor found to be targeting MSSQL Server 11 and 12.
Researchers found similarities between skip.2-0 along with the PortReuse backdoor and ShadowPad versions. As like PortReuse backdoor skip.2-0 also launched through VMProtected launcher that drops the backdoor.
The Winnti Group’s payload is RC5-encrypted and embedded with VMProtected launcher’s overlay, the packer contains Inner-Loader.dll which is used by Winnti Group to inject the backdoor.
The malware hooks the sqllang.dll file and alters multiple functions, skip-2.0 primarily targets functions related to authentication and event logging.
“We observed multiple similarities between skip-2.0 and other tools from the Winnti Group’s arsenal. Its VMProtected launcher, custom packer, Inner-Loader injector, and hooking framework are part of the already known toolset of the Winnti Group,” said ESET .
cvv2shop unitvpscom