German analysts Johann Aydinbas and Axel Wauer of the DCSO CyTec posted information about a new backdoor targeting Microsoft SQL servers. According to their information, the malware has already infected hundreds of servers, mainly in Asian countries, such as South Korea, India, Vietnam, China, Taiwan, Thailand, and others.
The malware is built as an “Extended Stored Procedure” DLL, used by Microsoft SQL servers. It allows one to control it using SQL queries once uploaded to a server. The backdoor allows the attacker to run commands and work with files. One more of the functions of Maggie is to set up a SOCKS5 proxy. It allows transmission of all the commands required to manage this malware using a proxy server and makes it even less noticeable. Also, the malware creates a network bridge with the infected server.
In addition, the malware allows the launching of brute-force attacks on other Microsoft SQL servers. If the attack succeeds, it adds a new backdoor user account using hardcoded credentials.
The name was given by the references in the file. It calls itself “sqlmaggieAntiVirus_64.dll”. The only export it provides is also named “maggie”.
So, as can be seen, this malware can be used for many purposes. However, the researchers did not publish any additional information regarding the post-infection usage of the backdoor, how it gets into the system, and who is a beneficiary of those attacks.
