Security researchers Johann Aydinbas and Axel Wauer from the DCSO CyTec have spotted a new piece of malware, named Maggie, that has already infected over 250 Microsoft SQL servers worldwide.
Most of the infected instances are in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.
The malware comes in the form of an “Extended Stored Procedure,” which are stored procedures that call functions from DLL files. Upon loading into a server, an attacker, can control it using SQL queries and offers a variety of functionality to run commands, and interact with files.
The backdoor is also able to bruteforce logins to other MSSQL servers to add a special hardcoded backdoor.
The Maggie malware supports over 51 commands to gather system information and run programs, it is also able to support network-related functionalities like enabling TermService, running a Socks5 proxy server or setting up port forwarding to make Maggie act as a bridge head into the server’s network environment.
Maggie also supports commands that are passed by the attackers along with arguments appended to them.
