New MSSQL Backdoor ‘Maggie’ Infects Hundreds of Servers Worldwide

DCSO CyTec researchers Johann Aydinbas and Axel Wauer are warning of new backdoor malware they’re calling “Maggie,” which targets Microsoft SQL servers. Maggie, the researchers say, has already affected at least 285 servers in 42 countries, with a particular focus on South Korea, India, Vietnam, China, and Taiwan.

The malware offers a wide range of functionality, including the ability to change file permissions, run commands, and act as a network bridge into the infected server. “In addition, the backdoor has capabilities to bruteforce logins to other MSSQL servers while adding a special hardcoded backdoor user in the case of successfully bruteforcing admin logins,” the researchers wrote in a blog post earlier this week.

The DLL file, which offers a single export called maggie (hence DCSO’s name for the malware), is an Extended Stored Procedure (ESP) designed to fetch user-supplied arguments and return unstructured data. “Maggie utilizes this message-passing interface to implement a fully functional backdoor controlled only using SQL queries,” the researchers wrote.

While it’s unclear how an attack with the malware is performed in the real world, Aydinbas and Wauer said the attacker has to have valid credentials to load it into the server.

See the Top Database Security Solutions

TCP Redirection

Maggie’s functionality includes simple TCP redirection. “When enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask,” the researchers wrote. “The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie.”

Aydinbas and Wauer also noted that Maggie’s command list includes four that suggest exploit usage: Exploit AddUser, Exploit Run, Exploit Clone, and Exploit TS. “It appears that the actual implementation of all four exploit commands depends on a DLL not included with Maggie directly,” they wrote. “Instead, the caller provides a DLL name as well as an additional parameter when calling each function. We therefore assume the caller manually uploads the exploit DLL prior to issuing any exploit commands.”

Still, the researchers weren’t able to uncover any potential exploit DLLs that Maggie might be referencing in order to do so.

Also read: 7 Database Security Best Practices

Top China-Exploited Vulnerabilities Revealed

It’s been quite a week for Microsoft vulnerabilities. In addition to Maggie and ProxyNotShell, four Microsoft vulnerabilities – including well-known ones like ProxyLogon – made a list of the 19 vulnerabilities most exploited by China state-sponsored hackers. The U.S. cybersecurity agencies list includes other well-known vulnerabilities like Log4j. ProxyLogon also figured prominently in a 2021 defense organization hack revealed this week.

For organizations struggling with patch management, lists like these and CISA’s Known Exploited Vulnerabilities are very good places to focus patching efforts.

Read next: The Best Patch Management Software & Tools for 2022

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles