Hundreds of Microsoft SQL servers backdoored with new malware
Security researchers have found a new piece of malware targeting Microsoft SQL servers. Named Maggie, the backdoor has already infected hundreds of machines all over the world.
Maggie is controlled through SQL queries that instruct it to run commands and interact with files. Its capabilities extend to brute-forcing administrator logins to other Microsoft SQL servers and doubling as a bridge head into the server's network environment.
The backdoor was discovered by German analysts Johann Aydinbas and Axel Wauer of the DCSO CyTec. Telemetry data shows that Maggie is more prevalent in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.
Analysis of the malware revealed that it disguises as an Extended Stored Procedure DLL (“sqlmaggieAntiVirus_64.dll”) that is digitally signed by DEEPSoft Co. Ltd, a company that appears to be based in South Korea.
Extended Stored Procedure files extend the functionality of SQL queries by using an API that accepts remote user arguments and responds with unstructured data.
