New “Maggie” malware targets hundreds of Microsoft SQL servers

Share post:

A new malware called “Maggie” is targeting hundreds of Microsoft SQL servers worldwide. Maggie works as a back door and was discovered by German analysts Johann Aydinbas and Axel Wauer of DCSO CyTec.

Maggie is controlled by SQL queries that instruct it to execute commands and interact with files. Maggie is also capable of brute-forcing administrator logins to other Microsoft SQL servers and can also act as a bridge head into the network environment of the server.

Maggie disguises as an Extended Stored Procedure DLL, a tool that extends the functionality of SQL queries by using an API that accepts remote user arguments and responds with unstructured data. The tool is abused to enable remote backdoor access with a rich set of 51 commands.

According to a report by DCSO CyTec, the fact that Maggie supports a variety of commands makes it possible to query system information, execute programs, interact with files and folders, activate remote desktop services (TeamService), run a SOCK95 proxy, and set up port forwarding.

The command list also contains four “Exploit” commands, indicating that the attacker may rely on known vulnerabilities for some actions, including adding a new user.

The malware also provides a simple TCP redirection feature that allows remote attackers to connect to any IP address that the infected MS-SQL server can reach.

The sources for this piece include an article in BleepingComputer.


Related articles

London hospitals cancel over 800 operations after ransomware attack

NHS England disclosed today that a recent ransomware attack on Synnovis has led to the cancellation of hundreds...

Microsoft cancels universal Recall release in favor of Windows Insider preview

Microsoft has decided to cancel the wide release of Recall, the controversial tool for Copilot+ PCs, and instead...

Cyber Security Today, Week in Review for week ending Friday, June 14, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, June 14th,...

Cyber Security Today, June 14, 2024 – Employee downloaded a file that led to hospital chain’s ransomware attack

An employee downloaded a file that led to hospital chain's ransomware attack Welcome to Cyber Security Today. It's Friday...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways