New Maggie malware already infected over 250 Microsoft SQL servers

Hundreds of Microsoft SQL servers all over the world have been infected with a new piece of malware tracked as Maggie.

Security researchers Johann Aydinbas and Axel Wauer from the DCSO CyTec have spotted a new piece of malware, named Maggie, that has already infected over 250 Microsoft SQL servers worldwide.

Most of the infected instances are in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.

The malware comes in the form of an “Extended Stored Procedure,” which are stored procedures that call functions from DLL files. Upon loading into a server, an attacker, can control it using SQL queries and offers a variety of functionality to run commands, and interact with files.

The backdoor is also able to bruteforce logins to other MSSQL servers to add a special hardcoded backdoor.

“In addition, the backdoor has capabilities to bruteforce logins to other MSSQL servers while adding a special hardcoded backdoor user in the case of successfully bruteforcing admin logins. Based on this finding, we identified over 250 servers affected worldwide, with a clear focus on the Asia-Pacific region.” reads the analysis published by the researchers. “Once loaded into a server by an attacker, it is controlled solely using SQL queries and offers a variety of functionality to run commands, interact with files and function as a network bridge head into the environment of the infected server.”

While investigating new threats, the experts discovered a suspicious file, the DLL file was signed by DEEPSoft Co., Ltd. on 2022–04–12. The export directory revealed the name of the library, sqlmaggieAntiVirus_64.dll, which offers a single export called maggie.

Inspecting the DLL file the experts discovered it is an Extended Stored Procedure, which allows SQL queries to run shell commands.

The Maggie malware supports over 51 commands to gather system information and run programs, it is also able to support network-related functionalities like enabling TermService, running a Socks5 proxy server or setting up port forwarding to make Maggie act as a bridge head into the server’s network environment.

Maggie also supports commands that are passed by the attackers along with arguments appended to them.

Maggie implements simple TCP redirection that allows it to operate as a network bridge head from the Internet to any IP address reachable by the compromised MSSQL server.

“When enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask. The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie.” continues the analysis.

The experts noticed that the list of supported commands includes Exploit AddUser, Exploit Run, Exploit Clone, and Exploit TS. The researchers noticed that the DLL used to implement the above commands are not present in the actual implementation of the commands.

The researchers assume the caller manually uploads the exploit DLL prior to issuing any exploit. commands.

“Maggie would then load the user-specified DLL, look for an export named either StartPrinter or ProcessCommand (depending on the exact command used) and pass the user-supplied argument.” continues the analysis.

The researchers shared indicators of compromise (IoCs) for this threat and announced they will continue to investigate it to determine how the affected servers are being utilized.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft SQL Server)

[adrotate banner=”5″]

[adrotate banner=”13″]