[German]Technical threat research experts from German security firm DCSO recently came across a new type of backdoor. Dubbed Maggie, the malware targets Microsoft SQL servers, and an analysis found hundreds of infected installations worldwide. Here is a brief overview of the state this discovery.
Microsoft SQL Server is a relational database management system from Microsoft. Administrators of Microsoft SQL servers probably need to be particularly vigilant again at the moment with regard to malware and cyberattacks.
Ransomware FARGO targets MS SQL server
Already at the end of September 2022, I had seen the notice at the colleagues of Bleeping Computer that security researchers warned of a new wave of attacks on vulnerable Microsoft SQL servers target by the ransomware FARGO. According to Bleeping Computer, the new wave of attacks was more catastrophic than previous attacks in February and July 2022 – when MS SQL servers were just randomly taken over to steal bandwidth for proxy services. Now, a new threat has been added in the form of the Maggie backdoor.
The Maggie backdoor
I came across this circumstance on Twitter last night. Berlin-based DCSO (Deutsche Cyber-Sicherheitsorganisation GmbH) is active in defending against organized cybercrime and industrial espionage. Their Technical Threat Research experts recently came across a novel backdoor while monitoring signed binaries, as they share in the following German tweet, but I also found the following tweet.
This backdoor targets Microsoft SQL servers. The malware comes in the form of an Extended Stored Procedure DLL, a special type of extension used by Microsoft SQL servers. Once loaded into a server by an attacker, this procedure is controlled exclusively by SQL queries and provides a variety of functions to execute commands, interact with files and act as a network bridge head into the infected server's environment.
In addition, the backdoor has the ability to force logins to other MSSQL servers and add a special hardcoded backdoor user in case of successful forcing of admin logins. Based on the artifacts found in the malware, DCSO CyTec refers to this novel threat as "Maggie." The DCSO CyTec team provided the details on Medium in the post MSSQL, meet Maggie. It is currently unclear to security researchers what specific exploit is used to inject the malware into MS SQL servers. Two commands were found in Maggie's command set to force logins to other MSSQL servers:
SqlScan
WinSockScan
The threat actors can then launch a bruteforce scan by uploading a host, user and password list file to the infected server beforehand. Furthermore, an optional thread count is specified for the attacks. Maggie then creates combinations of (host, user, pass) and attempts to log on to other servers via SQL using ODBC. In the case of a WinSockScan, on the other hand, a reimplementation with basic socket functions is used for the scan.
Successful logins are written to a hard-coded log file, which can be located in one of two places:
C:\ProgramData\success.dat
<MAGGIE_LOCATION>\success.dat
Maggie then attempts to determine if the account's cracked login has admin privileges. If an admin user has been successfully cracked, Maggie proceeds to add a hardcoded backdoor user. Based on this finding, DCSO CyTec performed a scan on publicly accessible MSSQL servers to determine how prevalent the identified backdoor user is.
Maggie backdoor infections
Based on these findings, the security researchers took a look at how widespread the malware is. Out of approximately 600,000 servers scanned worldwide, 285 instances infected with the Maggies backdoor were identified. The malware is spread across 42 countries, with a clear focus on the Asia-Pacific region. The heat map shown in the image above shows the focus of infections in India, Vietnam and South Korea, although infections were also detected in Europe as well as the US.