Maggie malware hits Microsoft SQL servers

Maggie has infected hundreds of Microsoft SQL servers worldwide

Image:
Maggie has infected hundreds of Microsoft SQL servers worldwide

The culprits, their targets and objectives remain a mystery.

A new malware strain known as Maggie has infected hundreds of Microsoft SQL servers worldwide.

Researchers Axel Wauer and Johann Aydinbas of German cybersecurity firm DCSO CyTec uncovered the backdoor Maggie uses. They found that the malware is managed via SQL queries that tell it how to work with files and execute instructions.

Some of Maggie's capabilities include acting as a bridgehead into the server's network environment and brute-forcing admin logins to other Microsoft SQL servers.

Maggie has already compromised hundreds of endpoints worldwide, the researchers say, the majority found in South Korea, India, Vietnam, Russia, China, Germany, Thailand and the USA.

Wauer and Aydinbas say the malware disguises itself as an Extended Stored Procedure DLL ("sqlmaggieAntiVirus 64.dll"), digitally signed by what appears to be a South Korean company called DEEPSoft Co. Ltd.

Extended stored procedure files expand the capabilities of SQL queries using an API that takes remote user arguments and returns unstructured data. With a comprehensive collection of 51 instructions, Maggie takes advantage of this behaviour to provide remote backdoor access.

The range of commands Maggie provides enable attackers to - among other actions - query for system information, access files and directories, launch programmes, enable remote desktop services, use a SOCKS5 proxy and configure port forwarding.

Equipped with a feature for simple TCP redirection, Maggie is able to act as a network bridgehead from the Internet to any IP address reachable by the infected MSSQL server. If the source IP address matches a user-specified IP mask, Maggie will reroute any incoming connection to a previously set IP and port. This allows for port reuse, making the redirection transparent to permitted users. Additionally, any other connected IP is allowed to use the server without Maggie's knowledge or intervention.

Given that Maggie offers a long list of functionality and targets Microsoft SQL servers, it can be safely assumed that it was designed as a corporate espionage tool. However, researchers were unable to identify the threat actors responsible, their whereabouts, or the people they are targeting.

Out of around 600,000 analysed servers globally, DCSO CyTec researchers found 285 servers scattered across 42 nations that were infected with Maggie's backdoor user.

It is unclear how the attackers were able to install the malware on so many servers, and what their objectives are.