A new backdoor malware named Maggie has been found infecting hundreds of machines across the world. Maggie specifically targets Microsoft SQL servers and uses SQL queries to perform its activities.
Maggie is designed as an Extended Stored Procedure DLL, a special type of DLL that extends the functionality of SQL queries by using an API that accepts remote user arguments. Maggie uses this functionality of Microsoft SQL servers to enable remote backdoor access and supports up to 51 commands to be executed on the infected server. Among these commands includes the capability to query system information, execute additional programs, interact with the filesystem, and enable Remote Desktop services. Maggie can also act as a network bridge, allowing the threat actor to connect to any IP address that the server can reach via TCP redirection. This redirection is transparent to authorized users while still allowing standard users to connect to the server normally, making it more difficult to detect that this TCP redirection is occurring. The malware also features SOCKS5 proxy functionality, allowing for increased stealth by routing all network packets through a proxy server.
While the current infection vector used to install Maggie is unknown, installing ESP DLLs does require placing the DLL in a location accessible by the Microsoft SQL server and valid credentials to load the ESP into the server, making this attack likely part of a post-compromise chain. So far, Maggie has been seen infecting servers primarily in the Asia-Pacific region, with South Korea, India, and Vietnam being the primarily targeted countries.