台灣二版(V2)敬祝聖誕佳節愉快及協助您一起打造安全無虞的2020年~~(資安品牌ESET & GREYCORTEX台灣獨家總代理)
ESET identifies Latin American banking trojan, Mispadu, targeting victims with malicious Facebook ads
BRATISLAVA – ESET, a global leader in cybersecurity, continues its research into Latin American banking trojans with the identification of another previously unknown malware family, Mispadu.
Similar to the Amavaldo and Casbaneiro malware families recently described by ESET, Mispadu is written in Delphi and targets victims through the use of fake pop-up windows trying to persuade potential victims to share their personal details and credentials. The Mispadu banking trojan, which primarily targets Brazil and Mexico, contains backdoor functionality, can take screenshots, simulates mouse and keyboard actions, and captures keystrokes.
The ESET research team has seen the Mispadu family using two different distribution methods – spam and malvertising. While the former is common among Latin American banking trojans, the latter is quite rare. The threat actor behind Mispadu places sponsored advertisements on Facebook that offer fake discount coupons for McDonald’s. Clicking on the advertisement leads the potential victim to a malicious webpage where a ZIP file containing an MSI installer, masquerading as a discount coupon, can be downloaded. If downloaded and executed, a chain of three scripts follows, resulting in the download and execution of the Mispadu banking trojan. The trojan uses four potentially unwanted applications, all modified copies of legitimate software, to extract the victim’s stored credentials from web browsers and email clients.
In Brazil, Mispadu has been seen also distributing an interesting, malicious Google Chrome extension. The extension claims to “Protect your Chrome,” but instead it attempts to steal credit card and online banking data, and can even compromise Boleto, a popular payment system in Brazil that uses a barcode-based ticketing system to transfer payments. The Boleto component of the Mispadu malware attack is its most advanced feature, as it replaces the legitimate barcode on a Boleto ticket with one connected to the attacker’s bank account, generated via the abuse of a legitimate website.
For more details, read the blog post, Mispadu: advertisement for a discounted Unhappy Meal, on WeLiveSecurity.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.
【ESET版本升級重要公告訊息】2020.1.27終止支援舊版本之病毒碼更新服務,現有用戶可享免費升級
「2019資安保衛戰,您戰勝了還是淪陷了?」讓國際資安大廠ESET助您一臂之力!
ESET重要公告_支持及購買正版產品
針對Windows系統的「BlueKeep」漏洞攻擊正在發生
Tracking down the developer of Android adware affecting millions of users
We detected a large adware campaign running for about a year, with the involved apps installed eight million times from Google Play alone.We identified 42 apps on Google Play as belonging to the campaign, which had been running since July 2018. Of those, 21 were still available at the time of discovery. We reported the apps to the Google security team and they were swiftly removed. However, the apps are still available in third-party app stores. ESET detects this adware, collectively, as Android/AdDisplay.Ashas.
Figure 1. Apps of the Android/AdDisplay.Ashas family reported to Google by ESET
Figure 2. The most popular member of the Android/AdDisplay.Ashas family on Google Play was “Video downloader master” with over five million downloads
Ashas functionality
All the apps provide the functionality they promise, besides working as adware. The adware functionality is the same in all the apps we analyzed. [Note: The analysis of the functionality below describes a single app, but applies to all apps of the Android/AdDisplay.Ashas family.]
Once launched, the app starts to communicate with its C&C server (whose IP address is base64-encoded in the app). It sends “home” key data about the affected device: device type, OS version, language, number of installed apps, free storage space, battery status, whether the device is rooted and Developer mode enabled, and whether Facebook and FB Messenger are installed.
Figure 3. Sending information about the affected device
The app receives configuration data from the C&C server, needed for displaying ads, and for stealth and resilience.
Figure 4. Configuration file received from the C&C server
As for stealth and resilience, the attacker uses a number of tricks.
First, the malicious app tries to determine whether it is being tested by the Google Play security mechanism. For this purpose, the app receives from the C&C server the isGoogleIp flag, which indicates whether the IP address of the affected device falls within the range of known IP addresses for Google servers. If the server returns this flag as positive, the app will not trigger the adware payload.
Second, the app can set a custom delay between displaying ads. The samples we have seen had their configuration set to delay displaying the first ad by 24 minutes after the device unlocks. This delay means that a typical testing procedure, which takes less than 10 minutes, will not detect any unwanted behavior. Also, the longer the delay, the lower the risk of the user associating the unwanted ads with a particular app.
Third, based on the server response, the app can also hide its icon and create a shortcut instead. If a typical user tries to get rid of the malicious app, chances are that only the shortcut ends up getting removed. The app then continues to run in the background without the user’s knowledge. This stealth technique has been gaining popularity among adware-related threats distributed via Google Play.
Figure 5. Time delay to postpone displaying ads implemented by the adware
Once the malicious app receives its configuration data, the affected device is ready to display ads as per the attacker’s choice; each ad is displayed as a full screen activity. If the user wants to check which app is responsible for the ad being displayed, by hitting the “Recent apps” button, another trick is used: the app displays a Facebook or Google icon, as seen in Figure 6. The adware mimics these two apps to look legitimate and avoid suspicion – and thus stay on the affected device for as long as possible.
Figure 6. The adware activity impersonates Facebook (left). If the user long-presses the icon, the name of the app responsible for the activity is revealed (right).
Finally, the Ashas adware family has its code hidden under the com.google.xxx package name. This trick – posing as a part of a legitimate Google service – may help avoid scrutiny. Some detection mechanisms and sandboxes may whitelist such package names, in an effort to prevent wasting resources.
Figure 7. Malicious code hidden in a package named “com.google”
Hunting down the developer
Using open-source information, we tracked down the developer of the adware, who we also identified as the campaign’s operator and owner of the C&C server. In the following paragraphs, we outline our efforts to discover other applications from the same developer and protect our users from it.
First, based on information that is associated with the registered C&C domain, we identified the name of the registrant, along with further data like country and email address, as seen in Figure 8.
Figure 8. Information about the C&C domain used by the Ashas adware
Knowing that the information provided to a domain registrar might be fake, we continued our search. The email address and country information drove us to a list of students attending a class at a Vietnamese university – corroborating the existence of the person under whose name the domain was registered.
Figure 9. A university class student list including the C&C domain registrant
Due to poor privacy practices on the part of our culprit’s university, we now know his date of birth (probably: he seemingly used his birth year as part of his Gmail address, as further partial confirmation), we know that he was a student and what university he attended. We were also able to confirm that the phone number he provided to the domain registrar was genuine. Moreover, we retrieved his University ID; a quick googling showed some of his exam grades. However, his study results are out of the scope of our research.
Based on our culprit’s email address, we were able to find his GitHub repository. His repository proves that he is indeed an Android developer, but it contained no publicly available code of the Ashas adware at the time of writing of this blogpost.
However, a simple Google search for the adware package name returned a “TestDelete” project that had been available in his repository at some point
The malicious developer also has apps in Apple’s App Store. Some of them are iOS versions of the ones removed from Google Play, but none contain adware functionality.
Figure 10. The malicious developer’s apps published on the App Store which don’t contain the Ashas adware
Searching further for the malicious developer’s activities, we also discovered his Youtube channel propagating the Ashas adware and his other projects. As for the Ashas family, one of the associated promotional videos, “Head Soccer World Champion 2018 – Android, ios” was viewed almost three million times and two others reached hundreds of thousands of views, as seen in Figure 11.
Figure 11. YouTube channel of the malicious developer
His YouTube channel provided us with another valuable piece of information: he himself features in a video tutorial for one of his other projects. Thanks to that project, we were able to extract his Facebook profile – which lists his studies at the aforementioned university.
Figure 12. Facebook profile of the C&C domain registrar (cover picture and profile picture edited out)
Linked on the malicious developer’s Facebook profile, we discovered a Facebook page, Minigameshouse, and an associated domain, minigameshouse[.]net. This domain is similar to the one the malware author used for his adware C&C communication, minigameshouse[.]us.
Checking this Minigameshouse page further indicates that this person is indeed the owner of the minigameshouse[.]us domain: the phone number registered with this domain is the same as the phone number appearing on the Facebook page.
Figure 13. Facebook page managed by the C&C domain registrant uses the same base domain name (minigameshouse) and phone number as the registered malicious C&C used by the Ashas adware
Of interest is that on the Minigameshouse Facebook page, the malicious developer promotes a slew of games beyond the Ashas family for download on both Google Play and the App Store. However, all of those have been removed from Google Play – despite the fact that some of them didn’t contain any adware functionality.
On top of all this, one of the malicious developer’s YouTube videos – a tutorial on developing an “Instant Game” for Facebook – serves as an example of operational security completely ignored. We were able to see that his recently visited web sites were Google Play pages belonging to apps containing the Ashas adware. He also used his email account to log into various services in the video, which identifies him as the adware domain owner, beyond any doubt.
Thanks to the video, we were even able to identify three further apps that contained adware functionality and were available on Google Play.
Figure 14. Screenshots from this developer’s YouTube video shows history of checking Ashas adware on Google Play
ESET telemetry
Figure 15. ESET detections of Android/AdDisplay.Ashas on Android devices by country
Is adware harmful?
Because the real nature of apps containing adware is usually hidden to the user, these apps and their developers should be considered untrustworthy. When installed on a device, apps containing adware may, among other things:
- Annoy users with intrusive advertisements, including scam ads
- Waste the device’s battery resources
- Generate increased network traffic
- Gather users’ personal information
- Hide their presence on the affected device to achieve persistence
- Generate revenue for their operator without any user interaction
Conclusion
Based solely on open source intelligence, we were able to trace the developer of the Ashas adware and establish his identity and discover additional related adware-infected apps. Seeing that the developer did not take any measures to protect his identity, it seems likely that his intentions weren’t dishonest at first – and this is also supported by the fact that not all his published apps contained unwanted ads.
At some point in his Google Play “career”, he apparently decided to increase his ad revenue by implementing adware functionality in his apps’ code. The various stealth and resilience techniques implemented in the adware show us that the culprit was aware of the malicious nature of the added functionality and attempted to keep it hidden.
Sneaking unwanted or harmful functionality into popular, benign apps is a common practice among “bad” developers, and we are committed to tracking down such apps. We report them to Google and take other steps to disrupt malicious campaigns we discover. Last but not least, we publish our findings to help Android users protect themselves.
Indicators of Compromise (IoCs)
Package name | Hash | Installs |
---|---|---|
com.ngocph.masterfree | c1c958afa12a4fceb595539c6d208e6b103415d7 | 5,000,000+ |
com.mghstudio.ringtonemaker | 7a8640d4a766c3e4c4707f038c12f30ad7e21876 | 500,000+ |
com.hunghh.instadownloader | 8421f9f25dd30766f864490c26766d381b89dbee | 500,000+ |
com.chungit.tank1990 | 237f9bfe204e857abb51db15d6092d350ad3eb01 | 500,000+ |
com.video.downloadmasterfree | 43fea80444befe79b55e1f05d980261318472dff | 100,000+ |
com.massapp.instadownloader | 1382c2990bdce7d0aa081336214b78a06fceef62 | 100,000+ |
com.chungit.tankbattle | 1630b926c1732ca0bb2f1150ad491e19030bcbf2 | 100,000+ |
com.chungit.basketball | 188ca2d47e1fe777c6e9223e6f0f487cb5e98f2d | 100,000+ |
com.applecat.worldchampion2018 | 502a1d6ab73d0aaa4d7821d6568833028b6595ec | 100,000+ |
org.minigamehouse.photoalbum | a8e02fbd37d0787ee28d444272d72b894041003a | 100,000+ |
com.mngh.tuanvn.fbvideodownloader | 035624f9ac5f76cc38707f796457a34ec2a97946 | 100,000+ |
com.v2social.socialdownloader | 2b84fb67519487d676844e5744d8d3d1c935c4b7 | 100,000+ |
com.hikeforig.hashtag | 8ed42a6bcb14396563bb2475528d708c368da316 | 100,000+ |
com.chungit.heroesjump | c72e92e675afceca23bbe77008d921195114700c | 100,000+ |
com.mp4.video.downloader | 61E2C86199B2D94ABF2F7508300E3DB44AE1C6F1 | 100,000+ |
com.videotomp4.downloader | 1f54e35729a5409628511b9bf6503863e9353ec9 | 50,000+ |
boxs.puzzles.Puzzlebox | b084a07fdfd1db25354ad3afea6fa7af497fb7dc | 50,000+ |
com.intatwitfb.download.videodownloader | 8d5ef663c32c1dbcdd5cd7af14674a02fed30467 | 50,000+ |
com.doscreenrecorder.screenrecorder | e7da1b95e5ddfd2ac71587ad3f95b2bb5c0f365d | 50,000+ |
com.toptools.allvideodownloader | 32E476EA431C6F0995C75ACC5980BDBEF07C8F7F | 50,000+ |
com.top1.videodownloader | a24529933f57aa46ee5a9fd3c3f7234a1642fe17 | 10,000+ |
com.santastudio.headsoccer2 | 86d48c25d24842bac634c2bd75dbf721bcf4e2ea | 10,000+ |
com.ringtonemakerpro.ringtonemakerapp2019 | 5ce9f25dc32ac8b00b9abc3754202e96ef7d66d9 | 10,000+ |
com.hugofq.solucionariodebaldor | 3bb546880d93e9743ac99ad4295ccaf982920260 | 10,000+ |
com.anit.bouncingball | 6e93a24fb64d2f6db2095bb17afa12c34b2c8452 | 10,000+ |
com.dktools.liteforfb | 7bc079b1d01686d974888aa5398d6de54fd9d116 | 10,000+ |
net.radiogroup.tvnradio | ba29f0b4ad14b3d77956ae70d812eae6ac761bee | 10,000+ |
com.anit.bouncingball | 6E93A24FB64D2F6DB2095BB17AFA12C34B2C8452 | 10,000+ |
com.floating.tube.bymuicv | 6A57D380CDDCD4726ED2CF0E98156BA404112A53 | 10,000+ |
org.cocos2dx.SpiderSolitaireGames | adbb603195c1cc33f8317ba9f05ae9b74759e75b | 5,000+ |
games.puzzle.crosssum | 31088dc35a864158205e89403e1fb46ef6c2c3cd | 5,000+ |
dots.yellow.craft | 413ce03236d3604c6c15fc8d1ec3c9887633396c | 5,000+ |
com.tvngroup.ankina.reminderWater | 5205a5d78b58a178c389cd1a7b6651fe5eb7eb09 | 5,000+ |
com.hdevs.ringtonemaker2019 | ba5a4220d30579195a83ddc4c0897eec9df59cb7 | 5,000+ |
com.carlosapps.solucionariodebaldor | 741a95c34d3ad817582d27783551b5c85c4c605b | 5,000+ |
com.mngh1.flatmusic | 32353fae3082eaeedd6c56bb90836c89893dc42c | 5,000+ |
com.tvn.app.smartnote | ddf1f864325b76bc7c0a7cfa452562fe0fd41351 | 1,000+ |
com.thrtop.alldownloader | f46ef932a5f8e946a274961d5bdd789194bd2a7d | 1,000+ |
com.anthu91.soccercard | 0913a34436d1a7fcd9b6599fba64102352ef2a4a | 1,000+ |
com.hugofq.wismichudosmildiecisiete | 4715bd777d0e76ca954685eb32dc4d16e609824f | 1,000+ |
com.gamebasketball.basketballperfectshot | e97133aaf7d4bf90f93fefb405cb71a287790839 | 1,000+ |
com.nteam.solitairefree | 3095f0f99300c04f5ba877f87ab86636129769b1 | 100+ |
com.instafollowers.hiketop | 3a14407c3a8ef54f9cba8f61a271ab94013340f8 | 1+ |
C&C server
MITRE ATT&CK techniques
Tactic | ID | Name | Description |
---|---|---|---|
Initial Access | T1475 | Deliver Malicious App via Authorized App Store | The malware impersonates legitimate services on Google Play |
Persistence | T1402 | App Auto-Start at Device Boot | An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app’s functionality will be activated every time the device starts |
Impact | T1472 | Generate Fraudulent Advertising Revenue | Generates revenue by automatically displaying ads |
Kudos to @jaymin9687 for bringing the problem of unwanted ads in the “Video downloader master” app to our attention.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.
Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor
Notorious cyberespionage group debases MSSQL
For a while, ESET researchers have been tracking the activities of the Winnti Group, active since at least 2012 and responsible for high-profile supply-chain attacks against the video game and software industry. Recently, we discovered a previously undocumented backdoor targeting Microsoft SQL (MSSQL) that allows attackers to maintain a very discreet foothold inside compromised organizations. This backdoor bears multiple similarities to the PortReuse backdoor, another tool used by the Winnti Group that was first documented by ESET in October 2019, such as the use of the same custom packer and VMProtected launcher, which is why we attribute this backdoor to the Winnti Group.
Earlier this year, we received a sample of this new backdoor called skip-2.0 by its authors and part of the Winnti Group’s arsenal. This backdoor targets MSSQL Server 11 and 12, allowing the attacker to connect stealthily to any MSSQL account by using a magic password – while automatically hiding these connections from the logs. Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain. In-game currency database manipulations by Winnti operators have already been reported. To the best of our knowledge, skip-2.0 is the first MSSQL Server backdoor to be documented publicly. Note that even though MSSQL Server 11 and 12 are not the most recent versions (released in 2012 and 2014, respectively), they are the most commonly used ones according to Censys’s data.
We recently published a white paper updating our understanding of the arsenal of the Winnti Group, and that exposed a previously undocumented backdoor of theirs called PortReuse. It uses an identical packer to that used with the payload embedded in compromised video games uncovered by ESET in March 2019. The VMProtected launcher that drops the PortReuse backdoor was also found being used to launch recent ShadowPad versions. In that context, we were able to find a new tool called skip.2-0 by its developer. It uses the same VMProtected launcher as well as Winnti Group’s custom packer and exhibits multiple similarities with other samples from the Winnti Group’s toolset. This leads us to ascribe skip-2.0 to that toolset also.
This article will focus on the technical details and functionality of this MSSQL Server backdoor, as well as on exposing the technical similarities of skip.2-0 with the Winnti Group’s known arsenal – in particular, with the PortReuse backdoor and ShadowPad. A note on the reasons why we chose the “Winnti Group” naming can be found on our white paper.
VMProtected launcher
We found skip-2.0 while looking for VMProtected launchers, for which the payload is usually either PortReuse or ShadowPad.
Embedded payload
As with the encrypted PortReuse and ShadowPad payloads, skip-2.0 is embedded in the VMProtected launcher’s overlay, as shown in Figure 1:
Figure 1. VMProtected launcher’s headers. The payload is embedded in the PE overlay.
Encryption
<
The payload encryption is identical to that used in the other VMProtected launchers. It is RC5-encrypted with a key derived from the VolumeID and the string f@Ukd!rCto R$. – as described in our previous white paper on the Winnti Group arsenal.
Persistence
As in the case of PortReuse and ShadowPad, the launcher probably persists by exploiting a DLL hijacking vulnerability by being installed at C:WindowsSystem32TSVIPSrv.DLL. This results in the DLL being loaded by the standard Windows SessionEnv service at system startup.
Winnti Group’s custom packer
Once decrypted the embedded payload is actually Winnti Group’s custom packer. This packer is the same shellcode that was documented in our previous article and white paper. It is used to pack the PortReuse backdoor as well as the payload embedded in the compromised video games.
Packer configuration
As described in our previous article, the packer configuration contains the decryption key of the packed binary as well as its original filename, its size and the execution type (EXE or DLL). The payload’s packer configuration is shown in Table 1.
Parent SHA-1 | Payload SHA-1 | RC4 key | Filename | Launch type |
---|---|---|---|---|
9aafe81d07b3e5bb282608f0a2a4656eb485b7c9 | a2571946ab181657eb825cde07188e8bcd689575 | 163716559 | Inner-Loader.dll | 2 |
Table 1. Payload’s packer configuration
One can see from the packer configuration that the payload is called Inner-Loader. Inner-Loader is the name of an injector that is the part of the Winnti Group’s arsenal used to inject the PortReuse backdoor into processes listening on a particular port, as described in our previous publication. Beyond that identical name, by analyzing this payload it appears that it is another variant of the Inner-Loader injector.
Inner-Loader injector
This variant of Inner-Loader, instead of looking for a process listening on a particular port, as in the case when injecting the PortReuse backdoor, looks for a process called sqlserv.exe, which is the conventional process name of MSSQL Server. If found, Inner-Loader then injects a payload into this process. This payload is also packed with the custom packer – the packer configuration of that payload is shown in Table 2.
Parent SHA-1 | Payload SHA-1 | RC4 key | Filename | Launch type |
---|---|---|---|---|
a2571946ab181657eb825cde07188e8bcd689575 | 60b9428d00be5ce562ff3d888441220290a6dac7 | 923567961 | skip-2.0.dll | 2 |
Table 2. Packer configuration of the payload embedded in Inner-Loader
The original filename of this injected payload is skip-2.0.dll.
skip-2.0
After having been injected and launched by Inner-Loader, skip-2.0 first checks whether it is executing within an sqlserv.exe process and if so, retrieves a handle to sqllang.dll, which is loaded by sqlserv.exe. It then proceeds to find and hook multiple functions from that DLL. Figure 2 depicts the skip-2.0 chain of compromise.
Figure 2. skip-2.0 unpacking and injection
Hooking sqllang.dll
The hooking procedure used by skip-2.0 is very similar to the one used by NetAgent, the PortReuse module responsible for installing the networking hook. This hooking library is based on the distorm open source disassembler that is used by multiple open source hooking frameworks. In particular, a disassembling library is needed to correctly compute the size of the instructions to be hooked. One can see in Figure 3 that the hooking procedure used by NetAgent and skip-2.0 are almost identical.
Figure 3. Hex-Rays output comparison between the NetAgent (left) and skip-2.0 (right) hooking procedures
There is one notable difference, which is the fact that the hooking function from skip-2.0 takes the address of the hook to be installed as an argument, while for NetAgent, the address of the hook to install is hardcoded. This is due to the fact that skip-2.0 has to hook multiple functions in sqllang.dll to operate properly, while NetAgent targets only a single function.
To locate each sqllang.dll function to be hooked, skip-2.0 first retrieves the size of the DLL once loaded in memory (i.e. its virtual size) by parsing its PE headers. Then an array of bytes to be matched within sqllang.dll is initialized as shown in Figure 4. Once the address of the first occurrence matching the byte array is found, the hook is installed using the procedure shown in Figure 3.
Figure 4. Hex-Rays output of the procedure initializing the byte array to match in sqllang.dll
The success of the hook installation is then logged in cleartext in a log file located at the hardcoded path C:WindowsTempTS_2CE1.tmp and shown in Figure 5.
Figure 5. Log generated during hooks installation
Should the targeted function not be found, the hook installer searches for a fallback function, with a different set of byte patterns.
Matching a sequence of bytes to locate the address of the targeted function instead of using a static offset, plus using a fallback sequence of bytes, allows skip-2.0 to be more resilient to MSSQL updates and to potentially target multiple sqllang.dll updates.
One password to rule them all
The functions targeted by skip-2.0 are related to authentication and event logging. The targeted functions include:
- CPwdPolicyManager::ValidatePwdForLogin
- CSECAuthenticate::AuthenticateLoginIdentity
- ReportLoginSuccess
- IssueLoginSuccessReport
- FExecuteLogonTriggers
- XeSqlPkg::sql_statement_completed::Publish
- XeSqlPkg::sql_batch_completed::Publish
- SecAuditPkg::audit_event::Publish
- XeSqlPkg::login::Publish
- XeSqlPkg::ual_instrument_called::Publish
The most interesting function is the first one (CPwdPolicyManager::ValidatePwdForLogin), which is responsible for validating the password provided for a given user. This function’s hook checks whether the password provided by the user matches the magic password; if that is the case, the original function will not be called and the hook will return 0, allowing the connection even though the correct password was not provided. A global flag is then set that will be checked by the other hooked functions responsible for event logging. The corresponding decompiled procedure is shown in Figure 6. In the case where this global flag is set, the hooked logging functions will silently return without calling their corresponding, original functions, so the action will not be logged. In the case where a different password is provided, the original function is called.
Figure 6. Hex-Rays output of the procedure responsible for matching the password provided at login with the hardcoded string
A similar backdooring technique, based on hardcoded passwords, was used with SSH backdoors previously discovered by ESET. The difference here is that skip-2.0 is installed in-memory, while in the case of the SSH backdoors the sshd executable was modified prior to execution.
Additionally, CSECAuthenticate::AuthenticateLoginIdentity will be called from within its hook code but the hook will always return 0. The ReportLoginSucess and IssueLoginSuccessReport hooks will not call the original functions if the magic password was used to log in. The same behavior is applied to FEExecuteLogonTriggers. Other logging functions such as XeSqlPkg::sql_statement_completed::Publish or XeSqlPkg::sql_batch_completed::Publish will also be disabled in the case where the user logged in with the magic password. Multiple audit events are disabled as well, including SecAuditPkg::audit_event::Publish, XeSqlPkg::login::Publish and XeSqlPkg::ual_instrument_called::Publish.
This series of hooks allows the attacker not only to gain persistence in the victim’s MSSQL Server through the use of a special password, but also to remain undetected thanks to the multiple log and event publishing mechanisms that are disabled when that password is used.
We tested skip-2.0 against multiple MSSQL Server versions and found that we were able to login successfully using the special password with MSSQL Server 11 and 12. To check whether a particular sqllang.dll version is targeted by skip-2.0 (i.e., that matches the byte patterns), we created a YARA rule, which can be found in our GitHub repository.
Connection with the Winnti Group
We observed multiple similarities between skip-2.0 and other tools from the Winnti Group’s arsenal. Its VMProtected launcher, custom packer, Inner-Loader injector and hooking framework are part of the already known toolset of the Winnti Group. This leads us to think that skip-2.0 is also part of that toolset.
Conclusion
The skip-2.0 backdoor is an interesting addition to the Winnti Group’s arsenal, sharing a great deal of similarities with the group’s already known toolset, and allowing the attacker to achieve persistence on an MSSQL Server. Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness.
We will continue to monitor new activities of the Winnti Group and will publish relevant information on our blog. For any inquiries, contact us at threatintel@eset.com.
Indicators of Compromise (IoCs)
Component | SHA-1 | ESET detection name |
---|---|---|
VMP Loader | 18E4FEB988CB95D71D81E1964AA6280E22361B9F 4AF89296A15C1EA9068A279E05CC4A41B967C956 | Win64/Packed.VMProtect.HX |
Inner-Loader injector | A2571946AB181657EB825CDE07188E8BCD689575 | Win64/Injector.BS |
skip-2.0 | 60B9428D00BE5CE562FF3D888441220290A6DAC7 | Win32/Agent.SOK |
Known targeted sqllang.dll files (non-exhaustive list) | 4396D3C904CD340984D474065959E8DD11915444 BE352631E6A6A9D0B7BBA9B82D910FA5AB40C64E D4ADBC3F77ADE63B836FC4D9E5915A3479F09BD4 0BBD3321F93F3DCDD2A332D1F0326142B3F4961A FAE6B48F1D6EDDEC79E62844C444FE3955411EE3 A25B25FFA17E63C6884E28E96B487F58DF4502E7 DE76419331381C390A758E634BF2E165A42D4807 ED08E9B4BA6C4B5A1F26D671AD212AA2FB0874A2 1E1B0D91B37BAEBF77F85D1B7C640B8CC02FE11A 59FB000D36612950FEBC36004F1317F7D000AA0B 661DA36BDD115A1E649F3AAE11AD6F7D6FF2DB63 | N/A |
MITRE ATT&CK techniques
Tactic | ID | Name | Description |
---|---|---|---|
Execution | T1035 | Service Execution | skip-2.0 is started with the SessionEnv service |
Persistence | T1038 | DLL Search Order Hijacking | skip-2.0 probably uses a DLL hijacking technique against the SessionEnv service |
T1179 | Hooking | skip-2.0 hooks multiple functions in sqllang.dll service to bypass authentication and maintain stealth | |
Defense Evasion | T1054 | Indicator Blocking | skip-2.0 blocks event logging |
T1045 | Software Packing | skip.2-0 and Inner-Loader are packed using Winnti’s custom packer. Further, the launcher is VMProtected. | |
Discovery | T1057 | Process Discovery | Inner-Loader lists running processes in order to find the process running MSSQL Server |
Impact | T1485 | Data Destruction | skip-2.0 allows unauthorized access to MSSQL databases, allowing data destruction or tampering |
T1494 | Runtime Data Manipulation | skip-2.0 manipulates event logging at runtime | |
T1492 | Stored Data Manipulation | skip-2.0 allows unauthorized access to MSSQL databases, allowing manipulation of stored data |
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.
GREYCORTEX WINS EY CYBERSECURITY SPACE INNOVATION TROPHY
Brno, Czech Republic
GREYCORTEX is happy to announce that we have won the 2019 EY Cybersecurity Trophy (EY ESO) in the Cybersecurity Space Innovation category. The winners were announced at an awards ceremony in Bratislava, Slovakia on December 10, 2019.
EY, whose motto is “Building a better working world,” has identified the need for greater focus on cybersecurity. Based on many years with the world’s leading consulting firms, competition founder Peter Borák, has good reason to emphasize cybersecurity. Due to the increasing frequency of cyber-attacks, extremely sensitive data is leaked, and risks increase every year. “Our primary concern is to help organizations make better decisions on very complex cybersecurity issues. With faster digitization, the risk is accelerating. All organizations should take care about their data protection,” said Borák.
In its Global Information Security Survey, EY recommends that cyber security and surveillance be included in the structure of every organization. EY’s main goal is not only to draw attention to the problem and to inform the professional and general public about the cyber security issues, but also to offer solutions and a wider understanding of the context of the problem. This is why EY recognizes innovative cybersecurity companies and ethical hackers with these awards.
Petr Chaloupka, CEO of GREYCORTEX, noted after receiving the award: “Cybercriminals now run on huge budgets and are constantly improving their procedures. This is the reason why cybersecurity analysts also need to have state-of-the-art technology to defend themselves effectively. Today, it is no longer possible to manually analyze all traffic in each individual private or state organization, to monitor all possible attack vectors, or eliminate all human failures. That’s why advanced technologies, machine learning, and artificial intelligence are on the scene to help with this defense.” Thanks to the integration of these principles into our MENDEL product, GREYCORTEX was included in Gartner’s 2019 Market Guide for Network Traffic Analysis.
This year, the EY ESO winners are Rastislav Klč in the EY ESO Chief Information Security Officer category, Tomáš Ležovič as EY ESO DNA Born Ethical Hacker, GREYCORTEX s.r.o. as the EY ESO Cyber Security Space Innovation, and Milan Kyselica as the winner of the EY ESO Security Future Promise, as well as overall winner.