Context
On October 4, 2022, DCSO CyTec security researchers reported the technical details of a new backdoor malware targeting Microsoft SQL servers they dubbed “Maggie.” According to researchers, the Maggie backdoor can bruteforce logins to other MSSQL servers and add a new hardcoded backdoor user after bruteforcing administrator logins. Researchers did not investigate if and how infected servers are used by the threat actors after successful infection and did not provide any attribution for the backdoor campaign.
Impact
According to researchers, more than 250 servers have been infected by Maggie so far, with a particular focus on the Asia-Pacific (APAC) region. Currently, no information is publicly available on the specific targets of the backdoor. South Korea, India, Vietnam, China, and Taiwan were the most targeted countries by volume. Any organizations operating MSSQL servers, especially in the APAC region, are encouraged to ingest the indicators of compromise (IOCs) included in this report and to remain particularly vigilant regarding operations and activity on MSSQL servers.
Technical Details
According to researchers, “The malware comes in the form of an ‘Extended Stored Procedure’ DLL, a special type of extension used by Microsoft SQL servers. Once loaded into a server by an attacker, it is controlled solely using SQL queries and offers a variety of functionality to run commands, interact with files, and function as a network bridge head into the environment of the infected server.”
After installation, the backdoor includes multiple commands to query for system information; interact with files and folders; execute programs; and various network-related functionality such as: enabling TermService, running a Socks5 proxy server, or setting up port forwarding.
The backdoor is reportedly capable of simple TCP redirection, which allows it to function as a network bridge head from the internet to any IP address reachable by the infected server. The backdoor then redirects incoming connections to a designated IP and port if the source IP matches a user-specified IP mask. This enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of the Maggie backdoor.
IOCs
DCSO CyTec security researchers provided the following IOCs:
| Indicator | Type | Notes |
| f29a311d62c54bbb01f675db9864f4 ab0b3483e6cfdd15a745d4943029dcdf14 | SHA256 | Maggie ESP DLLs |
| a375ae44c8ecb158895356d1519fe37 4dc99c4c6b13f826529c71fb1d47095c3 | SHA256 | Maggie ESP DLLs |
| eb7b33b436d034b2992c4f40082ba4 8c744d546daa3b49be8564f2c509bd80e9 | SHA256 | Maggie ESP DLLs |
| 854bb57bbd22b64679b3574724 fafd7f9de23f5f71365b1dd8757286cec87430 | SHA256 | Maggie ESP DLLs |
| 4311c24670172957b4b0fb7ca9898 451878faeb5dcec75f7920f1f7ad339d958 | SHA256 | RAR SFX with Maggie |
| d0bc30c940b525e7307eca0df85f1d 97060ccd4df5761c952811673bc21bc794 | SHA256 | RAR SFX with Maggie |
| http://58[.]180[.]56[.]28/sql64[.]dll | URL | ITW URLs |
| http://106[.]251[.]252[.]83/sql64[.]dll | URL | ITW URLs |
| http://183[.]111[.]148[.]147/sql64[.]dll | URL | ITW URLs |
| http://xw[.]xxuz[.]com/VV61599[.]exe | URL | ITW URLs |
| http://58[.]180[.]56[.]28/vv61599[.]exe | URL | ITW URLs |
TTPs
DCSO CyTec security researchers provided the following MITRE ATT&CK tactics, techniques, and procedures (TTPs):
| TTP | Name |
| T1110 | Brute Force |
| T1090 | Connection Proxy |
