securityaffairs.co
Open in
urlscan Pro
2001:8d8:100f:f000::289
Public Scan
URL:
http://securityaffairs.co/wordpress/136693/cyber-crime/maggie-malware-microsoft-sql-server.html
Submission: On October 07 via api from IN — Scanned from DE
Submission: On October 07 via api from IN — Scanned from DE
Form analysis 1 forms found in the DOM
Name: searchform — GET http://securityaffairs.co/wordpress/
<form role="search" method="get" name="searchform" id="searchform" action="http://securityaffairs.co/wordpress/">
<div>
<input type="text" value="" name="s" id="s" autocomplete="off" title="Search..." class="blur">
<button type="submit">
<i class="fa fa-search"></i>
</button>
</div>
<div id="autocomplete"></div>
</form>Text Content
* Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * EXTENDED COOKIE POLICY * Contact me MUST READ Headlines * LilithBot Malware, a new MaaS offered by the Eternity Group * Watch out, a bug in Linux Kernel 5.19.12 can damage displays on Intel laptops * Cisco fixed two high-severity bugs in Communications, Networking Products * City of Tucson Data Breach impacted 123,500 individuals * 19-Year-Old man arrested for misusing leaked record from Optus Breach * “Egypt Leaks” – Hacktivists are Leaking Financial Data * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * EXTENDED COOKIE POLICY * Contact me NEW MAGGIE MALWARE ALREADY INFECTED OVER 250 MICROSOFT SQL SERVERS October 5, 2022 By Pierluigi Paganini Powered by pixfutureⓘ HUNDREDS OF MICROSOFT SQL SERVERS ALL OVER THE WORLD HAVE BEEN INFECTED WITH A NEW PIECE OF MALWARE TRACKED AS MAGGIE. Security researchers Johann Aydinbas and Axel Wauer from the DCSO CyTec have spotted a new piece of malware, named Maggie, that has already infected over 250 Microsoft SQL servers worldwide. Powered by pixfutureⓘ Most of the infected instances are in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States. The malware comes in the form of an “Extended Stored Procedure,” which are stored procedures that call functions from DLL files. Upon loading into a server, an attacker, can control it using SQL queries and offers a variety of functionality to run commands, and interact with files. The backdoor is also able to bruteforce logins to other MSSQL servers to add a special hardcoded backdoor. “In addition, the backdoor has capabilities to bruteforce logins to other MSSQL servers while adding a special hardcoded backdoor user in the case of successfully bruteforcing admin logins. Based on this finding, we identified over 250 servers affected worldwide, with a clear focus on the Asia-Pacific region.” reads the analysis published by the researchers. “Once loaded into a server by an attacker, it is controlled solely using SQL queries and offers a variety of functionality to run commands, interact with files and function as a network bridge head into the environment of the infected server.” While investigating new threats, the experts discovered a suspicious file, the DLL file was signed by DEEPSoft Co., Ltd. on 2022–04–12. The export directory revealed the name of the library, sqlmaggieAntiVirus_64.dll, which offers a single export called maggie. Inspecting the DLL file the experts discovered it is an Extended Stored Procedure, which allows SQL queries to run shell commands. The Maggie malware supports over 51 commands to gather system information and run programs, it is also able to support network-related functionalities like enabling TermService, running a Socks5 proxy server or setting up port forwarding to make Maggie act as a bridge head into the server’s network environment. Maggie also supports commands that are passed by the attackers along with arguments appended to them. Maggie implements simple TCP redirection that allows it to operate as a network bridge head from the Internet to any IP address reachable by the compromised MSSQL server. “When enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask. The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie.” continues the analysis. The experts noticed that the list of supported commands includes Exploit AddUser, Exploit Run, Exploit Clone, and Exploit TS. The researchers noticed that the DLL used to implement the above commands are not present in the actual implementation of the commands. The researchers assume the caller manually uploads the exploit DLL prior to issuing any exploit. commands. “Maggie would then load the user-specified DLL, look for an export named either StartPrinter or ProcessCommand (depending on the exact command used) and pass the user-supplied argument.” continues the analysis. The researchers shared indicators of compromise (IoCs) for this threat and announced they will continue to investigate it to determine how the affected servers are being utilized. Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, Microsoft SQL Server) Powered by pixfutureⓘ Share this... Facebook Twitter Linkedin SHARE THIS: * Email * Twitter * Print * LinkedIn * Facebook * More * * Tumblr * Pocket * * HackingIT Information SecurityMaggie malwaremalwareMicrosoft SQL serversPierluigi PaganiniSecurity AffairsSecurity News -------------------------------------------------------------------------------- SHARE ON * * * * * * * PIERLUIGI PAGANINI Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”. -------------------------------------------------------------------------------- PREVIOUS ARTICLE Telstra Telecom discloses data breach impacting former and current employees NEXT ARTICLE Avast releases a free decryptor for some Hades ransomware variants -------------------------------------------------------------------------------- YOU MIGHT ALSO LIKE LILITHBOT MALWARE, A NEW MAAS OFFERED BY THE ETERNITY GROUP October 7, 2022 By Pierluigi Paganini WATCH OUT, A BUG IN LINUX KERNEL 5.19.12 CAN DAMAGE DISPLAYS ON INTEL LAPTOPS October 6, 2022 By Pierluigi Paganini * SPONSORED CONTENT * * PIXFUTURE * * DIGGING THE DEEP WEB: EXPLORING THE DARK SIDE OF THE WEB * CENTER FOR CYBER SECURITY AND INTERNATIONAL RELATIONS STUDIES * SUBSCRIBE SECURITY AFFAIRS NEWSLETTER * SECURITYAFFAIRS AWARDED AS BEST EUROPEAN CYBERSECURITY TECH BLOG AT EUROPEAN CYBERSECURITY BLOGGER AWARDS More Story TELSTRA TELECOM DISCLOSES DATA BREACH IMPACTING FORMER AND CURRENT EMPLOYEES Bad news for the Australian telecommunications industry, the largest company in the country Telstra suffered a data breach. Australia's... Copyright 2021 Security Affairs by Pierluigi Paganini All Right Reserved. Back to top * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * EXTENDED COOKIE POLICY * Contact me We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Cookie SettingsAccept All Manage consent Close PRIVACY OVERVIEW This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities... Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT