Maggie is a new malware that has surfaced and is already gaining unauthorized backdoor access to several Microsoft SQL servers.
Researchers have recently discovered a malware named Maggie which has been gaining unauthorized backdoor access into several Microsoft SQL servers. John Aydinbas and Alex Wauer recently discovered this malware, German analysts at DSCO CyTec. According to the data collected, the malware has already infected several servers in South Korea, Vietnam, India, China, Thailand, Russia, Germany, and the US.
How does Maggie work?
Experts have already started analyzing the malware to understand how it infects the servers. Studies have shown that the malware disguises itself as a harmless extended stored procedure that DEEPSoft Co signs off. The extended stored procedure allows the extension of SQL functionality through API, enabling the malware to access the server remotely. Maggie has a set of 51 commands that it uses to gain access to these servers and retrieve information.
Some of these commands also include ‘exploit’ commands that prey on the server’s vulnerabilities for actions such as creating a new user.
DCSO CyTec’s expert opinion
According to DCSO CyTec, “when enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port if the source IP address matches a user-specified IP mask.” They further stated that “the implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP can use the server without any interference or knowledge of Maggie,”
Maggie has become a growing threat to SQL servers worldwide. Due to its harmless nature and additional stealth functionalities, data security specialists need to reinforce their servers to prevent attackers from gaining access with the help of this malware.