Researchers from DCSO CyTec uncovered Maggie, a novel backdoor for Microsoft SQL servers hidden as an Extended Stored Procedure DLL called sqlmaggieAntiVirus_64.dll. Maggie runs commands, interacts with files, and can function as a network bridge with a SOCKS5 proxy, having infected at least 250 servers worldwide, with a focus on the Asia-Pacific region. #Maggie #ExtendedStoredProcedures #MSSQL #DCSOCyTec #ShadowForce
Keypoints
- Maggie is delivered as an Extended Stored Procedure (ESP) DLL (sqlmaggieAntiVirus_64.dll) loaded into an MSSQL server and controlled via SQL queries.
- Once loaded, Maggie provides a backdoor that can run commands, interact with the file system, and act as a network bridge through port forwarding and proxy features.
- The malware includes brute-force capabilities to target other MSSQL servers, and can add a hardcoded backdoor user when admin credentials are discovered.
- At least 250 MSSQL servers have been identified as infected globally, with a clear concentration in the Asia-Pacific region.
- The researchers attribute Maggie to a broader campaign discovered by DCSO CyTec and reference their follow-up coverage on βTracking down Maggie.β
- Maggieβs network-bridging capabilities include StartHook-based API hooks, SetClientData-based IP redirection, and SOCKS5 proxy functionality for complex lateral movement.
MITRE Techniques
- [T1110] Brute Force β Maggie bruteforces logins to other MSSQL servers. βThe backdoor has capabilities to bruteforce logins to other MSSQL servers.β
- [T1090] Connection Proxy β Maggie redirects incoming connections and acts as a network bridge head. βMaggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port.β
Indicators of Compromise
- [File Hash] Maggie ESP DLLs β f29a311d62c54bbb01f675db9864f4ab0b3483e6cfdd15a745d4943029dcdf14, a375ae44c8ecb158895356d1519fe374dc99c4c6b13f826529c71fb1d47095c3, and 2 more hashes
- [File Hash] RAR SFX with Maggie β 4311c24670172957b4b0fb7ca9898451878faeb5dcec75f7920f1f7ad339d958, d0bc30c940b525e7307eca0df85f1d97060ccd4df5761c952811673bc21bc794
- [URL] ITW URLs β http://58.180.56.28/sql64.dll, http://106.251.252.83/sql64.dll, and 3 more URLs
- [Domain] ITW domain β xw.xxuz.com
- [IP Address] ITW hosts β 58.180.56.28, 106.251.252.83, and 1 more (183.111.148.147)
- [File Path] Maggie-related data files β C:ProgramDataSuccess.dat, Success.dat, and 2 more items (Failure.dat, AccessControl.Dat)
- [User-Agent] Hardcoded User-Agent β Mozilla/4.0 (compatible)
Read more: https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01