Security experts have disclosed about a new piece of malware targeting Microsoft SQL servers. The backdoor, named Maggie, has already infected hundreds of machines around the world.
Telemetry data reveals that it is active in India, South Korea, China, Russia, Vietnam, Thailand, Germany, and the U.S.
Maggie: the new backdoor
The Maggie backdoor was spotted by German analysts from DCSO CyTec.
It is managed via SQL queries for executing commands and interacting with files.
It can brute-force admin logins to other Microsoft SQL servers and double as a bridgehead inside the server.
Additionally, Maggie offers simple TCP redirection functionality. It allows remote attackers to connect to any IP address the compromised MS-SQL server is able to reach.
The backdoor hides as an Extended Stored Procedure DLL (sqlmaggieAntiVirus_64[.]dll) that is digitally signed by DEEPSoft Co. Ltd, a firm based in South Korea.
More technical details
Maggie abuses extended stored procedure files behavior to allow remote backdoor access with 51 commands. The command list includes four Exploit commands to rely on known flaws for some actions.
A variety of commands allow querying for the system details, running programs (such as SOCKS5 proxy), interacting files and folders, allowing remote desktop services, and port forwarding.
Admin passwords are brute-forced via WinSockScan and SqlScan commands after defining a thread count and a password list file. Subsequently, a hard-coded backdoor user is added to the server.
Moreover, the attackers can append arguments to these commands. In some cases, Maggie has usage instructions for the supported arguments.
At present, it's still not known how Maggie is planted on the servers and who is responsible for the attacks. However, the security agency did provide a list of IOCs to identify and stop the attacks. Further, organizations should stay vigilant against such threats and be ready with adequate protection.