Saturday, September 7, 2024
HomeCyber Security NewsNew Malware Compromised Hundreds of Microsoft SQL Servers

New Malware Compromised Hundreds of Microsoft SQL Servers

Published on

There has been a discovery of a new type of malware by security researchers named, Maggie, which targets Microsoft SQL servers. Around the world, hundreds of computers have already become infected with the Maggie backdoor.

Maggie is controlled by SQL queries that are executed on the database. Microsoft SQL server admin logins can be hacked, and duplication can be done as a bridge with the network environment of the server.

Heatmap of Maggie

The cybersecurity analysts, Johann Aydinbas and Axel Wauer of the DCSO CyTec were responsible for discovering the backdoor. Maggie has been detected more frequently in the countries listed below, based on the telemetry data:-

- Advertisement - EHA
  • South Korea
  • India
  • Vietnam
  • China
  • Russia
  • Thailand
  • Germany
  • The United States

In order for Maggie to operate successfully, it can masquerade itself as a DLL extension which sports an Extended Stored Procedure signature that is signed by a South Korean company, DEEPSoft Co. Ltd.

Commands used by Maggie

With an API, extended stored procedures can be enhanced to provide more functionality when running SQL queries. While this API accepts the:-

  • Remote user arguments
  • Responds with unstructured data

Through a series of 51 commands, remote access is possible to the backdoor. And here below in the image, you can see all those 51 commands:-

Maggie is capable of performing a wide range of actions with the help of commands, such as:-

  • Information about the system can be requested.
  • Run or execute programs.
  • Add a hardcoded backdoor operator account.
  • Files and folders can be accessed and interacted with.
  • Set up port forwarding.
  • Enables Remote Desktop Services.
  • Choose an administrator password.
  • The SOCKS5 proxy can be used to route all network packets and thus make the backdoor invisible, making it difficult to detect.

Maggie even offers usage instructions for some of these supported arguments, in the case where the attackers are able to append arguments to these commands.

A total of four Exploit commands are also included in the command list. It’s a clear indication that certain actions, such as adding a new user, may be reliant on known vulnerabilities to be performed by the attacker.

After specifying a password list file and a thread count, a brute force attack on admin passwords is conducted by executing the following commands:-

  • SqlScan
  • WinSockScan

Network Bridge

A TCP redirection feature is also provided by the malware. The infected MS-SQL server can thus be accessed remotely from any IP address accessible by the attacker. 

Maggie will redirect any incoming connections to the specified IP address and port if this feature is enabled in the system. Currently, there is some information that is not yet known, such as:-

  • The operators behind this attack
  • How Maggie is used after infection?
  • How it’s injected into servers?

What’s most significant is that the threat has already been identified by the researchers and IOCs have been shared. However, the cybersecurity experts have affirmed that they will continue their investigation to find the answers for the above mentioned questions.

Also Read: Download Secure Web Filtering – Free E-book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...