MSSQL servers are prime targets for the new Maggie backdoor

October 7, 2022
MSSQL Database Servers Maggie Backdoor Bruteforce Attack Asia Pacific

Microsoft SQL (MSSQL) servers are being targeted by a new backdoor dubbed by security researchers as ‘Maggie.’ This new backdoor is deployed by its operators through a signed Extended Stored Procedure (ESP) DLL file for MSSQL extensions. The threat operators could also easily control the backdoor using SQL queries upon being run in the targeted server.

Researchers’ study on Maggie backdoor explained that it could support different functions, such as running commands, interacting with files, and being used by its operators to establish itself in the compromised environment. Furthermore, the backdoor can execute brute-force attacks on other MSSQL servers to target admin accounts and add a hardcoded backdoor user.

 

The Maggie backdoor operators initially must place the ESP DDL file in a directory that the MSSQL server can access.

 

For the backdoor operators to launch Maggie onto the targeted server, they are first required to place the ESP DDL file in a directory that the MSSQL server can access, aside from having valid credentials to load the ESP file on the server.

The researchers also added that the Maggie backdoor is usually loaded onto the target server manually so it could begin receiving SQL queries as commands from the operators. The Maggie backdoor can collect the server’s system information, manipulate files and folders, and execute any program.

Some other critical functionalities that the Maggie backdoor can perform include enabling network-related features, such as TermService, port forwarding, and proxy server. In port forwarding, the backdoor can act as a bridge towards the server’s network environment.

Additionally, the backdoor supports TCP redirecting, which helps redirect incoming connections to a previously defined internet protocol (IP) address and port. Four command links are also supported by the Maggie backdoor linked to exploitation usage, and two commands for brute forcing other Microsoft SQL servers.

Upon executing a successful brute-force attack on an account with higher admin rights, the Maggie backdoor will create its user account inside the compromised server. Recent investigations show that the Maggie backdoor impacts at least 285 servers from over 42 countries, primarily within the Asia-Pacific region, such as South Korea, Vietnam, and India.

About the author