skip-2.0
High-profile threat actors know that there are no long-term benefits in creating destructive malware whose sole purpose is to cause mayhem. This is why they rely on stealthy and functional cyber-threats that enable them to gain persistent access or control over the compromised computer and provide them with the ability to collect data or modify the system's configuration frequently. One of the tools used for such purposes is skip-2.0, a piece of malware developed by the Winnti Group. The Winnti Group (also known as APT41) is an Advanced Persistent Threat group whose members are believed to reside in China. Its name has been associated with numerous attacks against the game and software industry sectors, and they are known to specialize in supply chain attacks that are difficult to spot and mitigate.
A Backdoor that Specializes in Exploiting MSSQL Databases
Skip-2.0 is a backdoor Trojan that specializes in exploiting Microsoft SQL (MSSQL) servers. It is not clear what infection vector the Winnti Group uses to distribute the skip-2.0 backdoor, but researchers have managed to analyze the way it operates and came to the conclusion that the backdoor is designed to configure a 'magic password' for all compromised MSSQL server accounts. By using this password, the attackers can connect to any of the compromised accounts connected to the MSSQL server, and then use their privileges to manipulate the server's configuration or the database's contents.
Skip-2.0 can Configure a Master 'Magic Password' for All Compromised Accounts
The user passwords stored in these databases are encrypted heavily, so it would be very difficult for the attackers to extract and use the login credentials of all registered users. However, there are other tricks they can use to profit from the use of the skip-2.0 backdoor – for example, if they target a certain game or game company, they could use their escalated database privileges to modify the cost of certain game resources or in-game currencies. With the number of transactions being completed in mobile games today, a small change to the prices of certain commodities, packages or offers may result in significant profits for the operators of the skip-2.0 backdoor.
The skip-2.0 can only be installed on MSSQL servers that have already been compromised by the Winnti Group hackers. After deployment, the backdoor Trojan will make sure to clear out all logs of its activities, therefore increasing its chances of staying active for as long as possible.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.