"New Maggie Malware Already Infected Over 250 Microsoft SQL Servers"

The DCSO CyTec security researchers Johann Aydinbas and Axel Wauer discovered Maggie, a new piece of malware that has already infected more than 250 Microsoft SQL servers worldwide. The majority of infected instances are located in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the US. The malware is in the form of an "Extended Stored Procedure," which are stored procedures that invoke functions from DLL files. An attacker can control a server after loading it with SQL queries. It offers a variety of functionality to run commands and interact with files. The backdoor can also brute-force logins to other MSSQL servers in order to install a special hardcoded backdoor. Maggie malware supports over 51 commands for gathering system information and running programs. It also supports network-related functions such as enabling TermService, running a Socks5 proxy server, or configuring port forwarding to make Maggie act as a bridgehead into the server's network environment. Maggie supports commands passed by attackers, as well as arguments appended to them. Maggie uses simple Transmission Control Protocol (TCP) redirection to function as a network bridgehead from the Internet to any IP address that the compromised MSSQL server can reach. This article continues to discuss the impact and capabilities of the new Maggie malware.

Security Affairs reports "New Maggie Malware Already Infected Over 250 Microsoft SQL Servers"