Security experts have discovered a new piece of malware that targets Microsoft SQL servers. The backdoor, known as Maggie, has already spread over the world to hundreds of systems. Maggie is managed via SQL queries that tell it how to work with files and execute instructions. Its capabilities also include acting as a bridgehead into the server’s network environment and brute-forcing administrator logins to other Microsoft SQL servers.
German analysts Johann Aydinbas and Axel Wauer of the DCSO CyTec found the backdoor. According to telemetry data, Maggie is more common in South Korea, India, China, Vietnam, Russia, Germany, Thailand, and the United States. Malware analysis revealed that it poses as an Extended Stored Procedure DLL (“sqlmaggieAntiVirus_64.dll“) that is digitally signed by what looks to be a South Korean business called DEEPSoft Co. Ltd.
Extended stored procedure files expand the capabilities of SQL queries by employing an API that accepts remote user parameters and returns unstructured data. With a comprehensive collection of 51 instructions, Maggie takes advantage of this technological characteristic to provide remote backdoor access. According to a study from DCSO CyTec, the range of commands offered by Maggie enable users to interact with files and directories, launch applications, enable remote desktop services (TermService), operate a SOCKS5 proxy, and configure port forwarding.
Attackers can add arguments to these commands, and in some cases, Maggie even provides usage guidance for the allowed parameters. According to the researchers, four “Exploit” instructions are also listed in the command list, suggesting that the attacker may have used known vulnerabilities for specific tasks like creating a new user. The exploits, however, were unable to be tested by the analysts since they seem to rely on a separate DLL that is not included with Maggie.
After specifying a password list file and a thread count, the commands “SqlScan” and “WinSockScan” are used to brute-force admin passwords. A hardcoded backdoor user is added to the server if it is successful. Simple TCP redirection capabilities provided by the malware enable remote attackers to establish connections to any IP address that the infected MS-SQL server may access.
“When enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask,” as per DCSO CyTec. “The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie,” added the researchers.
In order to further its stealth capabilities, the malware also has SOCKS5 proxy capabilities that route all network packets through a proxy server. The usage of Maggie after infection, the method by which the malware was initially inserted into the systems, and the identity of the attackers are yet unclear.