Hundreds of Microsoft SQL servers backdoored with new malware

Security researchers have found a new piece of malware targeting Microsoft SQL servers. Named Maggie, the backdoor has already infected hundreds of machines all over the world.

Maggie is controlled through SQL queries that instruct it to run commands and interact with files. Its capabilities extend to brute-forcing administrator logins to other Microsoft SQL servers and doubling as a bridge head into the server’s network environment.

The backdoor was discovered by German analysts Johann Aydinbas and Axel Wauer of the DCSO CyTec. Telemetry data shows that Maggie is more prevalent in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.

Maggie infections heatmap
Maggie infections heatmap (DCSO CyTec)

Maggie commands

Analysis of the malware revealed that it disguises as an Extended Stored Procedure DLL (“sqlmaggieAntiVirus_64.dll”) that is digitally signed by DEEPSoft Co. Ltd, a company that appears to be based in South Korea.

Extended Stored Procedure files extend the functionality of SQL queries by using an API that accepts remote user arguments and responds with unstructured data.

Maggie abuses this technical behavior to enable remote backdoor access with a rich set of 51 commands.

All commands supported by Maggie
Commands supported by Maggie (DCSO CyTec)

A report from DCSO CyTec says that the variety of commands supported by Maggie allow querying for system information, executing programs, interacting with files and folders, enabling remote desktop services (TermService), running a SOCKS5 proxy, and setting up port forwarding.

The attackers can append arguments to these commands, and Maggie even offers usage instructions for the supported arguments in some cases.

Valid parameters for the SQL scan command
Valid parameters for the SQL scan command (DCSO CyTec)

The researchers say that the command list also includes four “Exploit” commands, indicating that the attacker may rely on known vulnerabilities for some actions, such as adding a new user.

However, the analysts couldn’t test the exploits as they appear to depend on an additional DLL that is not shipped with Maggie.

Brute-forcing admin passwords happens through the commands “SqlScan” and “WinSockScan” after defining a password list file and a thread count. If successful, a hardcoded backdoor user is added to the server.

Maggie network bridge

The malware offers simple TCP redirection functionality, which allows remote attackers to connect to any IP address the infected MS-SQL server can reach.

“When enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask” – DCSO CyTec

“The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie,” the researchers added.

The malware also features SOCKS5 proxy functionality to route all network packets through a proxy server, making it even stealthier if needed.

Starting and stopping the SOCKS5 proxy service
Starting and stopping the SOCKS5 proxy service (DCSO CyTec)

At this time some details remain unknown, like the post-infection use of Maggie, how the malware is planted in the servers in the first place, and who is behind these attacks.

Source: www.bleepingcomputer.com