New Malware Compromised Hundreds of Microsoft SQL Servers

There has been a discovery of a new type of malware by security researchers named, Maggie, which targets Microsoft SQL servers. Around the world, hundreds of computers have already become infected with the Maggie backdoor.

Maggie is controlled by SQL queries that are executed on the database. Microsoft SQL server admin logins can be hacked, and duplication can be done as a bridge with the network environment of the server.

Heatmap of Maggie

The cybersecurity analysts, Johann Aydinbas and Axel Wauer of the DCSO CyTec were responsible for discovering the backdoor. Maggie has been detected more frequently in the countries listed below, based on the telemetry data:-

• South Korea
• India
• Vietnam
• China
• Russia
• Thailand
• Germany
• The United States

In order for Maggie to operate successfully, it can masquerade itself as a DLL extension which sports an Extended Stored Procedure signature that is signed by a South Korean company, DEEPSoft Co. Ltd.

Commands used by Maggie

With an API, extended stored procedures can be enhanced to provide more functionality when running SQL queries. While this API accepts the:-

• Remote user arguments
• Responds with unstructured data

Through a series of 51 commands, remote access is possible to the backdoor. And here below in the image, you can see all those 51 commands:-

Maggie is capable of performing a wide range of actions with the help of commands, such as:-

• Information about the system can be requested.
• Run or execute programs.
• Add a hardcoded backdoor operator account.
• Files and folders can be accessed and interacted with.
• Set up port forwarding.
• Enables Remote Desktop Services.
• Choose an administrator password.
• The SOCKS5 proxy can be used to route all network packets and thus make the backdoor invisible, making it difficult to detect.

Maggie even offers usage instructions for some of these supported arguments, in the case where the attackers are able to append arguments to these commands.

A total of four Exploit commands are also included in the command list. It’s a clear indication that certain actions, such as adding a new user, may be reliant on known vulnerabilities to be performed by the attacker.

After specifying a password list file and a thread count, a brute force attack on admin passwords is conducted by executing the following commands:-

• SqlScan
• WinSockScan

Network Bridge

A TCP redirection feature is also provided by the malware. The infected MS-SQL server can thus be accessed remotely from any IP address accessible by the attacker. 

Maggie will redirect any incoming connections to the specified IP address and port if this feature is enabled in the system. Currently, there is some information that is not yet known, such as:-

• The operators behind this attack
• How Maggie is used after infection?
• How it’s injected into servers?

What’s most significant is that the threat has already been identified by the researchers and IOCs have been shared. However, the cybersecurity experts have affirmed that they will continue their investigation to find the answers for the above mentioned questions.

Also Read: Download Secure Web Filtering – Free E-book