ESET identifies Latin American banking trojan, Mispadu, targeting victims with malicious Facebook ads

BRATISLAVA – ESET, a global leader in cybersecurity, continues its research into Latin American banking trojans with the identification of another previously unknown malware family, Mispadu.

Similar to the Amavaldo and Casbaneiro malware families recently described by ESET, Mispadu is written in Delphi and targets victims through the use of fake pop-up windows trying to persuade potential victims to share their personal details and credentials. The Mispadu banking trojan, which primarily targets Brazil and Mexico, contains backdoor functionality, can take screenshots, simulates mouse and keyboard actions, and captures keystrokes.

The ESET research team has seen the Mispadu family using two different distribution methods – spam and malvertising. While the former is common among Latin American banking trojans, the latter is quite rare. The threat actor behind Mispadu places sponsored advertisements on Facebook that offer fake discount coupons for McDonald’s. Clicking on the advertisement leads the potential victim to a malicious webpage where a ZIP file containing an MSI installer, masquerading as a discount coupon, can be downloaded. If downloaded and executed, a chain of three scripts follows, resulting in the download and execution of the Mispadu banking trojan. The trojan uses four potentially unwanted applications, all modified copies of legitimate software, to extract the victim’s stored credentials from web browsers and email clients.

In Brazil, Mispadu has been seen also distributing an interesting, malicious Google Chrome extension. The extension claims to “Protect your Chrome,” but instead it attempts to steal credit card and online banking data, and can even compromise Boleto, a popular payment system in Brazil that uses a barcode-based ticketing system to transfer payments. The Boleto component of the Mispadu malware attack is its most advanced feature, as it replaces the legitimate barcode on a Boleto ticket with one connected to the attacker’s bank account, generated via the abuse of a legitimate website.

For more details, read the blog post, Mispadu: advertisement for a discounted Unhappy Meal, on WeLiveSecurity.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

【ESET版本升級重要公告訊息】2020.1.27終止支援舊版本之病毒碼更新服務,現有用戶可享免費升級

感謝您對 ESET 資安全系列產品的支持!ESET 將於 2020 年 1 月 27 日,終止支援下述版本的【病毒碼更新服務】。為了確保您的公司得到最新技術與完整的資安防護,建議貴公司立即更新所使用之ESET資安產品至最新版本,溫馨提醒現有用戶,可享免費升級
 
終止支援病毒碼更新服務之產品清單
 
ESET企業端點網路安全for  Windows(6.6.2046.x 或 6.6.2052.x)
ESET 企業端點防毒for  Windows(6.6.2046.x 或 6.6.2052.x)
 
 
Q & A
1. 升級需要費用嗎?
在有效授權期間,從舊版本升級至最新版本是免費的,產品更新不會產生額外費用。
 
2. 為何要升級至最新版本?
由於新版本可以協助企業抵禦最新或未知的資安威脅,建議您更新所使用之ESET資安產品至最新版本,來保護貴公司的重要資料。
 
3. 升級到最新版本需要多長時間?
因每個客戶之資安配置不同,建議洽詢專業的資安團隊,您可撥打客服專線(02)7722-6899,將有專人為您服務。
 
 
**免 費 升 級**
 
ESET企業端點網路安全for  Windows 
 
ESET 企業端點防毒for  Windows
 
如有任何軟體升級問題或設定的技術支援需求,歡迎上官網查詢或洽詢專業資安團隊:(02) 7722-6899

針對Windows系統的「BlueKeep」漏洞攻擊正在發生

 
今年5月微軟警告Windows終端服務存在編號CVE-2019-0708的漏洞,或稱BlueKeep。本漏洞可使攻擊者利用RDP(遠端桌面協定:Remote Desktop Protocol,簡稱RDP)連上目標系統,傳送改造過的呼叫,藉此執行任意程式碼、安裝惡意程式、讀取或刪改資料、或新開具完整權限的用戶帳號。作為預先驗證(pre-authentication)漏洞,BlueKeep可讓蠕蟲繁殖(wormable),從一臺有漏洞的電腦複製自我擴散到其他電腦上,有如WannaCryptor。受影響的作業系統包括Windows 7、Windows Server 2008 及2008 R2,及已經終止支援的Windows XP及Server 2003。
 
在11月針對有BlueKeep漏洞的系統之首波攻擊,雖其主要目的在於植入Monero挖礦軟體,但真正的隱憂在於,此漏洞能讓攻擊者駭入伺服器,再利用自動化工具在內網為害,像是丟入勒索軟體 (類似WannaCryptor) ,因此BlueKeep攻擊仍十分危險,不能掉以輕心。而自5月到目前為止,微軟也發出了三次警告,並提醒用戶盡快修補漏洞、進行更新及呼籲不要小看其嚴重性。
 
 
【ESET勒索病毒解決方案】https://www.eset.tw/html/86/20170605/
或歡迎洽詢資安專業團隊,服務電話:(02)7722-6899
 

Tracking down the developer of Android adware affecting millions of users

We detected a large adware campaign running for about a year, with the involved apps installed eight million times from Google Play alone.We identified 42 apps on Google Play as belonging to the campaign, which had been running since July 2018. Of those, 21 were still available at the time of discovery. We reported the apps to the Google security team and they were swiftly removed. However, the apps are still available in third-party app stores. ESET detects this adware, collectively, as Android/AdDisplay.Ashas.

Figure 1. Apps of the Android/AdDisplay.Ashas family reported to Google by ESET

Figure 2. The most popular member of the Android/AdDisplay.Ashas family on Google Play was “Video downloader master” with over five million downloads

Ashas functionality

All the apps provide the functionality they promise, besides working as adware. The adware functionality is the same in all the apps we analyzed. [Note: The analysis of the functionality below describes a single app, but applies to all apps of the Android/AdDisplay.Ashas family.]

Once launched, the app starts to communicate with its C&C server (whose IP address is base64-encoded in the app). It sends “home” key data about the affected device: device type, OS version, language, number of installed apps, free storage space, battery status, whether the device is rooted and Developer mode enabled, and whether Facebook and FB Messenger are installed.

Figure 3. Sending information about the affected device

The app receives configuration data from the C&C server, needed for displaying ads, and for stealth and resilience.

Figure 4. Configuration file received from the C&C server

As for stealth and resilience, the attacker uses a number of tricks.

First, the malicious app tries to determine whether it is being tested by the Google Play security mechanism. For this purpose, the app receives from the C&C server the isGoogleIp flag, which indicates whether the IP address of the affected device falls within the range of known IP addresses for Google servers. If the server returns this flag as positive, the app will not trigger the adware payload.

Second, the app can set a custom delay between displaying ads. The samples we have seen had their configuration set to delay displaying the first ad by 24 minutes after the device unlocks. This delay means that a typical testing procedure, which takes less than 10 minutes, will not detect any unwanted behavior. Also, the longer the delay, the lower the risk of the user associating the unwanted ads with a particular app.

Third, based on the server response, the app can also hide its icon and create a shortcut instead. If a typical user tries to get rid of the malicious app, chances are that only the shortcut ends up getting removed. The app then continues to run in the background without the user’s knowledge. This stealth technique has been gaining popularity among adware-related threats distributed via Google Play.

Figure 5. Time delay to postpone displaying ads implemented by the adware

Once the malicious app receives its configuration data, the affected device is ready to display ads as per the attacker’s choice; each ad is displayed as a full screen activity. If the user wants to check which app is responsible for the ad being displayed, by hitting the “Recent apps” button, another trick is used: the app displays a Facebook or Google icon, as seen in Figure 6. The adware mimics these two apps to look legitimate and avoid suspicion – and thus stay on the affected device for as long as possible.

Figure 6. The adware activity impersonates Facebook (left). If the user long-presses the icon, the name of the app responsible for the activity is revealed (right).

Finally, the Ashas adware family has its code hidden under the com.google.xxx package name. This trick – posing as a part of a legitimate Google service – may help avoid scrutiny. Some detection mechanisms and sandboxes may whitelist such package names, in an effort to prevent wasting resources.

Figure 7. Malicious code hidden in a package named “com.google”

Hunting down the developer

Using open-source information, we tracked down the developer of the adware, who we also identified as the campaign’s operator and owner of the C&C server. In the following paragraphs, we outline our  efforts to discover other applications from the same developer and protect our users from it.

First, based on information that is associated with the registered C&C domain, we identified the name of the registrant, along with further data like country and email address, as seen in Figure 8.

Figure 8. Information about the C&C domain used by the Ashas adware

Knowing that the information provided to a domain registrar might be fake, we continued our search. The email address and country information drove us to a list of students attending a class at a Vietnamese university – corroborating the existence of the person under whose name the domain was registered.

Figure 9. A university class student list including the C&C domain registrant

Due to poor privacy practices on the part of our culprit’s university, we now know his date of birth (probably: he seemingly used his birth year as part of his Gmail address, as further partial confirmation), we know that he was a student and what university he attended. We were also able to confirm that the phone number he provided to the domain registrar was genuine. Moreover, we retrieved his University ID; a quick googling showed some of his exam grades. However, his study results are out of the scope of our research.

Based on our culprit’s email address, we were able to find his GitHub repository. His repository proves that he is indeed an Android developer, but it contained no publicly available code of the Ashas adware at the time of writing of this blogpost.

However, a simple Google search for the adware package name returned a “TestDelete” project that had been available in his repository at some point

The malicious developer also has apps in Apple’s App Store. Some of them are iOS versions of the ones removed from Google Play, but none contain adware functionality.

Figure 10. The malicious developer’s apps published on the App Store which don’t contain the Ashas adware

Searching further for the malicious developer’s activities, we also discovered his Youtube channel propagating the Ashas adware and his other projects. As for the Ashas family, one of the associated promotional videos, “Head Soccer World Champion 2018 – Android, ios” was viewed almost three million times and two others reached hundreds of thousands of views, as seen in Figure 11.

Figure 11. YouTube channel of the malicious developer

His YouTube channel provided us with another valuable piece of information: he himself features in a video tutorial for one of his other projects. Thanks to that project, we were able to extract his Facebook profile – which lists his studies at the aforementioned university.

Figure 12. Facebook profile of the C&C domain registrar (cover picture and profile picture edited out)

Linked on the malicious developer’s Facebook profile, we discovered a Facebook page, Minigameshouse, and an associated domain, minigameshouse[.]net. This domain is similar to the one the malware author used for his adware C&C communication, minigameshouse[.]us.

Checking this Minigameshouse page further indicates that this person is indeed the owner of the minigameshouse[.]us domain: the phone number registered with this domain is the same as the phone number appearing on the Facebook page.

Figure 13. Facebook page managed by the C&C domain registrant uses the same base domain name (minigameshouse) and phone number as the registered malicious C&C used by the Ashas adware

Of interest is that on the Minigameshouse Facebook page, the malicious developer promotes a slew of games beyond the Ashas family for download on both Google Play and the App Store. However, all of those have been removed from Google Play – despite the fact that some of them didn’t contain any adware functionality.

On top of all this, one of the malicious developer’s YouTube videos – a tutorial on developing an “Instant Game” for Facebook – serves as an example of operational security completely ignored. We were able to see that his recently visited web sites were Google Play pages belonging to apps containing the Ashas adware. He also used his email account to log into various services in the video, which identifies him as the adware domain owner, beyond any doubt.

Thanks to the video, we were even able to identify three further apps that contained adware functionality and were available on Google Play.

Figure 14. Screenshots from this developer’s YouTube video shows history of checking Ashas adware on Google Play

ESET telemetry

Figure 15. ESET detections of Android/AdDisplay.Ashas on Android devices by country

Is adware harmful?

Because the real nature of apps containing adware is usually hidden to the user, these apps and their developers should be considered untrustworthy. When installed on a device, apps containing adware may, among other things:

  • Annoy users with intrusive advertisements, including scam ads
  • Waste the device’s battery resources
  • Generate increased network traffic
  • Gather users’ personal information
  • Hide their presence on the affected device to achieve persistence
  • Generate revenue for their operator without any user interaction

Conclusion

Based solely on open source intelligence, we were able to trace the developer of the Ashas adware and establish his identity and discover additional related adware-infected apps. Seeing that the developer did not take any measures to protect his identity, it seems likely that his intentions weren’t dishonest at first – and this is also supported by the fact that not all his published apps contained unwanted ads.

At some point in his Google Play “career”, he apparently decided to increase his ad revenue by implementing adware functionality in his apps’ code. The various stealth and resilience techniques implemented in the adware show us that the culprit was aware of the malicious nature of the added functionality and attempted to keep it hidden.

Sneaking unwanted or harmful functionality into popular, benign apps is a common practice among “bad” developers, and we are committed to tracking down such apps. We report them to Google and take other steps to disrupt malicious campaigns we discover. Last but not least, we publish our findings to help Android users protect themselves.

Indicators of Compromise (IoCs)

Package name Hash Installs
com.ngocph.masterfree c1c958afa12a4fceb595539c6d208e6b103415d7 5,000,000+
com.mghstudio.ringtonemaker 7a8640d4a766c3e4c4707f038c12f30ad7e21876 500,000+
com.hunghh.instadownloader 8421f9f25dd30766f864490c26766d381b89dbee 500,000+
com.chungit.tank1990 237f9bfe204e857abb51db15d6092d350ad3eb01 500,000+
com.video.downloadmasterfree 43fea80444befe79b55e1f05d980261318472dff 100,000+
com.massapp.instadownloader 1382c2990bdce7d0aa081336214b78a06fceef62 100,000+
com.chungit.tankbattle 1630b926c1732ca0bb2f1150ad491e19030bcbf2 100,000+
com.chungit.basketball 188ca2d47e1fe777c6e9223e6f0f487cb5e98f2d 100,000+
com.applecat.worldchampion2018 502a1d6ab73d0aaa4d7821d6568833028b6595ec 100,000+
org.minigamehouse.photoalbum a8e02fbd37d0787ee28d444272d72b894041003a 100,000+
com.mngh.tuanvn.fbvideodownloader 035624f9ac5f76cc38707f796457a34ec2a97946 100,000+
com.v2social.socialdownloader 2b84fb67519487d676844e5744d8d3d1c935c4b7 100,000+
com.hikeforig.hashtag 8ed42a6bcb14396563bb2475528d708c368da316 100,000+
com.chungit.heroesjump c72e92e675afceca23bbe77008d921195114700c 100,000+
com.mp4.video.downloader 61E2C86199B2D94ABF2F7508300E3DB44AE1C6F1 100,000+
com.videotomp4.downloader 1f54e35729a5409628511b9bf6503863e9353ec9 50,000+
boxs.puzzles.Puzzlebox b084a07fdfd1db25354ad3afea6fa7af497fb7dc 50,000+
com.intatwitfb.download.videodownloader 8d5ef663c32c1dbcdd5cd7af14674a02fed30467 50,000+
com.doscreenrecorder.screenrecorder e7da1b95e5ddfd2ac71587ad3f95b2bb5c0f365d 50,000+
com.toptools.allvideodownloader 32E476EA431C6F0995C75ACC5980BDBEF07C8F7F 50,000+
com.top1.videodownloader a24529933f57aa46ee5a9fd3c3f7234a1642fe17 10,000+
com.santastudio.headsoccer2 86d48c25d24842bac634c2bd75dbf721bcf4e2ea 10,000+
com.ringtonemakerpro.ringtonemakerapp2019 5ce9f25dc32ac8b00b9abc3754202e96ef7d66d9 10,000+
com.hugofq.solucionariodebaldor 3bb546880d93e9743ac99ad4295ccaf982920260 10,000+
com.anit.bouncingball 6e93a24fb64d2f6db2095bb17afa12c34b2c8452 10,000+
com.dktools.liteforfb 7bc079b1d01686d974888aa5398d6de54fd9d116 10,000+
net.radiogroup.tvnradio ba29f0b4ad14b3d77956ae70d812eae6ac761bee 10,000+
com.anit.bouncingball 6E93A24FB64D2F6DB2095BB17AFA12C34B2C8452 10,000+
com.floating.tube.bymuicv 6A57D380CDDCD4726ED2CF0E98156BA404112A53 10,000+
org.cocos2dx.SpiderSolitaireGames adbb603195c1cc33f8317ba9f05ae9b74759e75b 5,000+
games.puzzle.crosssum 31088dc35a864158205e89403e1fb46ef6c2c3cd 5,000+
dots.yellow.craft 413ce03236d3604c6c15fc8d1ec3c9887633396c 5,000+
com.tvngroup.ankina.reminderWater 5205a5d78b58a178c389cd1a7b6651fe5eb7eb09 5,000+
com.hdevs.ringtonemaker2019 ba5a4220d30579195a83ddc4c0897eec9df59cb7 5,000+
com.carlosapps.solucionariodebaldor 741a95c34d3ad817582d27783551b5c85c4c605b 5,000+
com.mngh1.flatmusic 32353fae3082eaeedd6c56bb90836c89893dc42c 5,000+
com.tvn.app.smartnote ddf1f864325b76bc7c0a7cfa452562fe0fd41351 1,000+
com.thrtop.alldownloader f46ef932a5f8e946a274961d5bdd789194bd2a7d 1,000+
com.anthu91.soccercard 0913a34436d1a7fcd9b6599fba64102352ef2a4a 1,000+
com.hugofq.wismichudosmildiecisiete 4715bd777d0e76ca954685eb32dc4d16e609824f 1,000+
com.gamebasketball.basketballperfectshot e97133aaf7d4bf90f93fefb405cb71a287790839 1,000+
com.nteam.solitairefree 3095f0f99300c04f5ba877f87ab86636129769b1 100+
com.instafollowers.hiketop 3a14407c3a8ef54f9cba8f61a271ab94013340f8 1+

C&C server

http://35.198.197[.]119:8080

MITRE ATT&CK techniques

Tactic ID Name Description
Initial Access T1475 Deliver Malicious App via Authorized App Store The malware impersonates legitimate services on Google Play
Persistence T1402 App Auto-Start at Device Boot An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app’s functionality will be activated every time the device starts
Impact T1472 Generate Fraudulent Advertising Revenue Generates revenue by automatically displaying ads

Kudos to @jaymin9687 for bringing the problem of unwanted ads in the “Video downloader master” app to our attention.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor

Notorious cyberespionage group debases MSSQL

For a while, ESET researchers have been tracking the activities of the Winnti Group, active since at least 2012 and responsible for high-profile supply-chain attacks against the video game and software industry. Recently, we discovered a previously undocumented backdoor targeting Microsoft SQL (MSSQL) that allows attackers to maintain a very discreet foothold inside compromised organizations. This backdoor bears multiple similarities to the PortReuse backdoor, another tool used by the Winnti Group that was first documented by ESET in October 2019, such as the use of the same custom packer and VMProtected launcher, which is why we attribute this backdoor to the Winnti Group.

Earlier this year, we received a sample of this new backdoor called skip-2.0 by its authors and part of the Winnti Group’s arsenal. This backdoor targets MSSQL Server 11 and 12, allowing the attacker to connect stealthily to any MSSQL account by using a magic password – while automatically hiding these connections from the logs. Such a backdoor could allow an attacker to stealthily copy, modify or delete database content. This could be used, for example, to manipulate in-game currencies for financial gain. In-game currency database manipulations by Winnti operators have already been reported. To the best of our knowledge, skip-2.0 is the first MSSQL Server backdoor to be documented publicly. Note that even though MSSQL Server 11 and 12 are not the most recent versions (released in 2012 and 2014, respectively), they are the most commonly used ones according to Censys’s data.

We recently published a white paper updating our understanding of the arsenal of the Winnti Group, and that exposed a previously undocumented backdoor of theirs called PortReuse. It uses an identical packer to that used with the payload embedded in compromised video games uncovered by ESET in March 2019. The VMProtected launcher that drops the PortReuse backdoor was also found being used to launch recent ShadowPad versions. In that context, we were able to find a new tool called skip.2-0 by its developer. It uses the same VMProtected launcher as well as Winnti Group’s custom packer and exhibits multiple similarities with other samples from the Winnti Group’s toolset. This leads us to ascribe skip-2.0 to that toolset also.

This article will focus on the technical details and functionality of this MSSQL Server backdoor, as well as on exposing the technical similarities of skip.2-0 with the Winnti Group’s known arsenal – in particular, with the PortReuse backdoor and ShadowPad. A note on the reasons why we chose the “Winnti Group” naming can be found on our white paper.

VMProtected launcher

We found skip-2.0 while looking for VMProtected launchers, for which the payload is usually either PortReuse or ShadowPad.

Embedded payload

As with the encrypted PortReuse and ShadowPad payloads, skip-2.0 is embedded in the VMProtected launcher’s overlay, as shown in Figure 1:

Figure 1. VMProtected launcher’s headers. The payload is embedded in the PE overlay.

Encryption

<

The payload encryption is identical to that used in the other VMProtected launchers. It is RC5-encrypted with a key derived from the VolumeID and the string f@Ukd!rCto R$. – as described in our previous white paper on the Winnti Group arsenal.

Persistence

As in the case of PortReuse and ShadowPad, the launcher probably persists by exploiting a DLL hijacking vulnerability by being installed at C:WindowsSystem32TSVIPSrv.DLL. This results in the DLL being loaded by the standard Windows SessionEnv service at system startup.

Winnti Group’s custom packer

Once decrypted the embedded payload is actually Winnti Group’s custom packer. This packer is the same shellcode that was documented in our previous article and white paper. It is used to pack the PortReuse backdoor as well as the payload embedded in the compromised video games.

Packer configuration

As described in our previous article, the packer configuration contains the decryption key of the packed binary as well as its original filename, its size and the execution type (EXE or DLL). The payload’s packer configuration is shown in Table 1.

Parent SHA-1Payload SHA-1RC4 keyFilenameLaunch type
9aafe81d07b3e5bb282608f0a2a4656eb485b7c9a2571946ab181657eb825cde07188e8bcd689575163716559Inner-Loader.dll2

Table 1. Payload’s packer configuration

One can see from the packer configuration that the payload is called Inner-LoaderInner-Loader is the name of an injector that is the part of the Winnti Group’s arsenal used to inject the PortReuse backdoor into processes listening on a particular port, as described in our previous publication. Beyond that identical name, by analyzing this payload it appears that it is another variant of the Inner-Loader injector.

Inner-Loader injector

This variant of Inner-Loader, instead of looking for a process listening on a particular port, as in the case when injecting the PortReuse backdoor, looks for a process called sqlserv.exe, which is the conventional process name of MSSQL Server. If found, Inner-Loader then injects a payload into this process. This payload is also packed with the custom packer – the packer configuration of that payload is shown in Table 2.

Parent SHA-1Payload SHA-1RC4 keyFilenameLaunch type
a2571946ab181657eb825cde07188e8bcd68957560b9428d00be5ce562ff3d888441220290a6dac7923567961skip-2.0.dll2

Table 2. Packer configuration of the payload embedded in Inner-Loader

The original filename of this injected payload is skip-2.0.dll.

skip-2.0

After having been injected and launched by Inner-Loaderskip-2.0 first checks whether it is executing within an sqlserv.exe process and if so, retrieves a handle to sqllang.dll, which is loaded by sqlserv.exe. It then proceeds to find and hook multiple functions from that DLL. Figure 2 depicts the skip-2.0 chain of compromise.

Figure 2. skip-2.0 unpacking and injection

Hooking sqllang.dll

The hooking procedure used by skip-2.0 is very similar to the one used by NetAgent, the PortReuse module responsible for installing the networking hook. This hooking library is based on the distorm open source disassembler that is used by multiple open source hooking frameworks. In particular, a disassembling library is needed to correctly compute the size of the instructions to be hooked. One can see in Figure 3 that the hooking procedure used by NetAgent and skip-2.0 are almost identical.

Figure 3. Hex-Rays output comparison between the NetAgent (left) and skip-2.0 (right) hooking procedures

There is one notable difference, which is the fact that the hooking function from skip-2.0 takes the address of the hook to be installed as an argument, while for NetAgent, the address of the hook to install is hardcoded. This is due to the fact that skip-2.0 has to hook multiple functions in sqllang.dll to operate properly, while NetAgent targets only a single function.

To locate each sqllang.dll function to be hooked, skip-2.0 first retrieves the size of the DLL once loaded in memory (i.e. its virtual size) by parsing its PE headers. Then an array of bytes to be matched within sqllang.dll is initialized as shown in Figure 4. Once the address of the first occurrence matching the byte array is found, the hook is installed using the procedure shown in Figure 3.

Figure 4. Hex-Rays output of the procedure initializing the byte array to match in sqllang.dll

The success of the hook installation is then logged in cleartext in a log file located at the hardcoded path C:WindowsTempTS_2CE1.tmp and shown in Figure 5.

Figure 5. Log generated during hooks installation

Should the targeted function not be found, the hook installer searches for a fallback function, with a different set of byte patterns.

Matching a sequence of bytes to locate the address of the targeted function instead of using a static offset, plus using a fallback sequence of bytes, allows skip-2.0 to be more resilient to MSSQL updates and to potentially target multiple sqllang.dll updates.

One password to rule them all

The functions targeted by skip-2.0 are related to authentication and event logging. The targeted functions include:

  • CPwdPolicyManager::ValidatePwdForLogin
  • CSECAuthenticate::AuthenticateLoginIdentity
  • ReportLoginSuccess
  • IssueLoginSuccessReport
  • FExecuteLogonTriggers
  • XeSqlPkg::sql_statement_completed::Publish
  • XeSqlPkg::sql_batch_completed::Publish
  • SecAuditPkg::audit_event::Publish
  • XeSqlPkg::login::Publish
  • XeSqlPkg::ual_instrument_called::Publish

The most interesting function is the first one (CPwdPolicyManager::ValidatePwdForLogin), which is responsible for validating the password provided for a given user. This function’s hook checks whether the password provided by the user matches the magic password; if that is the case, the original function will not be called and the hook will return 0, allowing the connection even though the correct password was not provided. A global flag is then set that will be checked by the other hooked functions responsible for event logging. The corresponding decompiled procedure is shown in Figure 6. In the case where this global flag is set, the hooked logging functions will silently return without calling their corresponding, original functions, so the action will not be logged. In the case where a different password is provided, the original function is called.

Figure 6. Hex-Rays output of the procedure responsible for matching the password provided at login with the hardcoded string

A similar backdooring technique, based on hardcoded passwords, was used with SSH backdoors previously discovered by ESET. The difference here is that skip-2.0 is installed in-memory, while in the case of the SSH backdoors the sshd executable was modified prior to execution.

Additionally, CSECAuthenticate::AuthenticateLoginIdentity will be called from within its hook code but the hook will always return 0. The ReportLoginSucess and IssueLoginSuccessReport hooks will not call the original functions if the magic password was used to log in. The same behavior is applied to FEExecuteLogonTriggers. Other logging functions such as XeSqlPkg::sql_statement_completed::Publish or XeSqlPkg::sql_batch_completed::Publish will also be disabled in the case where the user logged in with the magic password. Multiple audit events are disabled as well, including SecAuditPkg::audit_event::Publish, XeSqlPkg::login::Publish and XeSqlPkg::ual_instrument_called::Publish.

This series of hooks allows the attacker not only to gain persistence in the victim’s MSSQL Server through the use of a special password, but also to remain undetected thanks to the multiple log and event publishing mechanisms that are disabled when that password is used.

We tested skip-2.0 against multiple MSSQL Server versions and found that we were able to login successfully using the special password with MSSQL Server 11 and 12. To check whether a particular sqllang.dll version is targeted by skip-2.0 (i.e., that matches the byte patterns), we created a YARA rule, which can be found in our GitHub repository.

Connection with the Winnti Group

We observed multiple similarities between skip-2.0 and other tools from the Winnti Group’s arsenal. Its VMProtected launcher, custom packer, Inner-Loader injector and hooking framework are part of the already known toolset of the Winnti Group. This leads us to think that skip-2.0 is also part of that toolset.

Conclusion

The skip-2.0 backdoor is an interesting addition to the Winnti Group’s arsenal, sharing a great deal of similarities with the group’s already known toolset, and allowing the attacker to achieve persistence on an MSSQL Server. Considering that administrative privileges are required for installing the hooks, skip-2.0 must be used on already compromised MSSQL Servers to achieve persistence and stealthiness.

We will continue to monitor new activities of the Winnti Group and will publish relevant information on our blog. For any inquiries, contact us at threatintel@eset.com.

Indicators of Compromise (IoCs)

ComponentSHA-1ESET detection name
VMP Loader18E4FEB988CB95D71D81E1964AA6280E22361B9F
4AF89296A15C1EA9068A279E05CC4A41B967C956		Win64/Packed.VMProtect.HX
Inner-Loader injectorA2571946AB181657EB825CDE07188E8BCD689575Win64/Injector.BS
skip-2.060B9428D00BE5CE562FF3D888441220290A6DAC7Win32/Agent.SOK
Known targeted sqllang.dll files (non-exhaustive list)4396D3C904CD340984D474065959E8DD11915444
BE352631E6A6A9D0B7BBA9B82D910FA5AB40C64E
D4ADBC3F77ADE63B836FC4D9E5915A3479F09BD4
0BBD3321F93F3DCDD2A332D1F0326142B3F4961A
FAE6B48F1D6EDDEC79E62844C444FE3955411EE3
A25B25FFA17E63C6884E28E96B487F58DF4502E7
DE76419331381C390A758E634BF2E165A42D4807
ED08E9B4BA6C4B5A1F26D671AD212AA2FB0874A2
1E1B0D91B37BAEBF77F85D1B7C640B8CC02FE11A
59FB000D36612950FEBC36004F1317F7D000AA0B
661DA36BDD115A1E649F3AAE11AD6F7D6FF2DB63		N/A

 

MITRE ATT&CK techniques

TacticIDNameDescription
ExecutionT1035Service Executionskip-2.0 is started with the SessionEnv service
PersistenceT1038DLL Search Order Hijackingskip-2.0 probably uses a DLL hijacking technique against the SessionEnv service
T1179Hookingskip-2.0 hooks multiple functions in sqllang.dll service to bypass authentication and maintain stealth
Defense EvasionT1054Indicator Blockingskip-2.0 blocks event logging
T1045Software Packingskip.2-0 and Inner-Loader are packed using Winnti’s custom packer. Further, the launcher is VMProtected.
DiscoveryT1057Process DiscoveryInner-Loader lists running processes in order to find the process running MSSQL Server
ImpactT1485Data Destructionskip-2.0 allows unauthorized access to MSSQL databases, allowing data destruction or tampering
T1494Runtime Data Manipulationskip-2.0 manipulates event logging at runtime
T1492Stored Data Manipulationskip-2.0 allows unauthorized access to MSSQL databases, allowing manipulation of stored data

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

GREYCORTEX WINS EY CYBERSECURITY SPACE INNOVATION TROPHY

Brno, Czech Republic

GREYCORTEX is happy to announce that we have won the 2019 EY Cybersecurity Trophy (EY ESO) in the Cybersecurity Space Innovation category. The winners were announced at an awards ceremony in Bratislava, Slovakia on December 10, 2019.

EY, whose motto is “Building a better working world,” has identified the need for greater focus on cybersecurity. Based on many years with the world’s leading consulting firms, competition founder Peter Borák, has good reason to emphasize cybersecurity. Due to the increasing frequency of cyber-attacks, extremely sensitive data is leaked, and risks increase every year. “Our primary concern is to help organizations make better decisions on very complex cybersecurity issues. With faster digitization, the risk is accelerating. All organizations should take care about their data protection,” said Borák.

In its Global Information Security Survey, EY recommends that cyber security and surveillance be included in the structure of every organization. EY’s main goal is not only to draw attention to the problem and to inform the professional and general public about the cyber security issues, but also to offer solutions and a wider understanding of the context of the problem. This is why EY recognizes innovative cybersecurity companies and ethical hackers with these awards.

Petr Chaloupka, CEO of GREYCORTEX, noted after receiving the award: “Cybercriminals now run on huge budgets and are constantly improving their procedures. This is the reason why cybersecurity analysts also need to have state-of-the-art technology to defend themselves effectively. Today, it is no longer possible to manually analyze all traffic in each individual private or state organization, to monitor all possible attack vectors, or eliminate all human failures. That’s why advanced technologies, machine learning, and artificial intelligence are on the scene to help with this defense.” Thanks to the integration of these principles into our MENDEL product, GREYCORTEX was included in Gartner’s 2019 Market Guide for Network Traffic Analysis.

This year, the EY ESO winners are Rastislav Klč in the EY ESO Chief Information Security Officer category, Tomáš Ležovič as EY ESO DNA Born Ethical Hacker, GREYCORTEX s.r.o. as the EY ESO Cyber Security Space Innovation, and Milan Kyselica as the winner of the EY ESO Security Future Promise, as well as overall winner.

 

EY ESO photo