Maggie has emerged as a brand-new malware. The backdoor has already spread to hundreds of computers and is specifically designed to attack Microsoft SQL servers.
DCSO CyTec analysts found the Maggie malware, and data shows that some nations—including the United States, India, South Korea, and China—have higher distribution rates.
The Maggie’s backdoor user was discovered in 285 servers in 42 countries out of nearly 600,000 servers scanned.
Maggie Malware Capabilities
The malware managed by SQL queries and supports 51 commands, including running programs, executing processes, interacting with files, installing remote desktop services, and configuring port forwarding.
It can brute-force administrator logins to other Microsoft SQL servers with SqlScan and WinSockScan commands. A hardcoded backdoor user is added to the server if it is successful.
The malware also gives instructions for arguments that the attackers could add to some of the commands.
Maggie covers itself as an Extended Stored Procedure DLL (sqlmaggieAntiVirus_64.dll). These files employ an API to allow remote users to make arguments in SQL queries. The file is digitally signed by DEEPSoft Co. Ltd., a South Korean business.
Four exploit commands are also included in the command list:
- Exploit AddUser
- Exploit Run
- Exploit Clone
- Exploit TS
It is suggested that attackers might use some known vulnerabilities. These exploit, the analysts could not test commands since they seem to rely on a DLL that is not included with Maggie.
Maggie as a Network Bridge Head
Because Maggie has TCP redirection ability, it can act as a network bridge head from the Internet to any IP address that the compromised MSSQL server can access.
If the source IP address matches a user-specified IP mask, the malware can reroute any incoming connection (on any port the MSSQL server is listening on) to a previously determined IP and port.
Any connecting IP can utilize the server without any intervention from or knowledge of Maggie, thanks to the implementation’s ability to enable port reuse, which makes the redirection transparent to authorized users.
Maggie also includes SOCKS5 proxy functionality for more complicated network operations.
RAR SFX with Maggie:
T1110 Brute Force
T1090 Connection Proxy