Hundreds of Microsoft SQL Servers Infected with Maggie Backdoor

Maggie backdoor in Microsoft SQL

Security researchers have discovered a new malware that targets Microsoft SQL servers. The backdoor is dubbed Maggie, has already infected hundreds of machines around the world. The greatest distribution of malware is observed in South Korea, India, Vietnam, China, Russia, Thailand, Germany and the USA.

Let me remind you that we also wrote that Fargo Ransomware aims at vulnerable Microsoft SQL servers, and also that Epsilon Red ransomware threatens Microsoft Exchange servers.

DCSO CyTec experts report that the malware is disguised as an Extended Stored Procedure DLL (sqlmaggieAntiVirus_64.dll) digitally signed by DEEPSoft Co. Ltd, which appears to be based in South Korea.

Maggie is controlled using SQL queries that tell it to execute certain commands or interact with files. The malware is also capable of brute forcing administrator credentials to penetrate other Microsoft SQL servers.

Extended Stored Procedure files extend the functionality of SQL queries by using an API that accepts remote user arguments and responds with unstructured data. As a result, the list of commands supported by the backdoor looks quite impressive.

Maggie backdoor in Microsoft SQL

So, Maggie can request system information, run programs, interact with files and folders, enable remote desktop services (TermService), start a SOCKS5 proxy server, and set up port forwarding.

The researchers note that the command list also contains four “Exploit” commands, which means that attackers may rely on exploiting known vulnerabilities to perform certain actions, such as adding a new user. Unfortunately, we were unable to study these exploits, as they seem to depend on an additional DLL and are not shipped with Maggie.

The SqlScan and WinSockScan commands are responsible for brute-forcing administrator passwords, which are executed after defining a file with a list of passwords and the number of threads. If successful, a new hard-coded user appears on the server.

The researchers’ report also notes that the malware has a simple TCP redirect feature that helps attackers connect to any IP address available to the infected MS-SQL server.

If this feature is enabled, Maggie will redirect any incoming connection (on any port that MSSQL Server is listening on) to a previously set IP address and port if the source IP address matches the user-specified mask.the experts explain.

In addition, the backdoor has SOCKS5 proxy functionality that can be used to route all network packets through the proxy, making the threat even more invisible if needed.

Maggie backdoor in Microsoft SQL

Currently, it remains unclear how exactly hackers use Maggie after infection, how the malware is introduced to servers at all, and who is behind these attacks.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *