Threat Watch

Hundreds of Microsoft SQL Servers Backdoored with New Malware

A new backdoor malware named Maggie has been found infecting hundreds of machines across the world. Maggie specifically targets Microsoft SQL servers and uses SQL queries to perform its activities.

Maggie is designed as an Extended Stored Procedure DLL, a special type of DLL that extends the functionality of SQL queries by using an API that accepts remote user arguments. Maggie uses this functionality of Microsoft SQL servers to enable remote backdoor access and supports up to 51 commands to be executed on the infected server. Among these commands includes the capability to query system information, execute additional programs, interact with the filesystem, and enable Remote Desktop services. Maggie can also act as a network bridge, allowing the threat actor to connect to any IP address that the server can reach via TCP redirection. This redirection is transparent to authorized users while still allowing standard users to connect to the server normally, making it more difficult to detect that this TCP redirection is occurring. The malware also features SOCKS5 proxy functionality, allowing for increased stealth by routing all network packets through a proxy server.

While the current infection vector used to install Maggie is unknown, installing ESP DLLs does require placing the DLL in a location accessible by the Microsoft SQL server and valid credentials to load the ESP into the server, making this attack likely part of a post-compromise chain. So far, Maggie has been seen infecting servers primarily in the Asia-Pacific region, with South Korea, India, and Vietnam being the primarily targeted countries.


While the infection vector for compromises that deploy Maggie is unknown, the fact that it requires credentials and filesystem access within the environment means that the threat actors will require some level of access within the network to deploy it. This means that the best way to prevent Maggie from compromising a Microsoft SQL server is to maintain good security controls at both the network and endpoint level. By preventing a threat actor from establishing a foothold into a network and being able to access credentials and move laterally, an organization can help prevent Maggie infections by denying the prerequisites needed by the threat actor. If a SQL server does become infected, making sure appropriate SQL query logging is enabled can help an organization detect the compromise. Likewise, certain components of Maggie also write files to the filesystem, allowing an organization to detect a potential compromise based on that. For example, Maggie supports a command that attempts to brute force logins on other Microsoft SQL servers. If any credential pairing in the brute force is successful, it writes the corresponding credentials to a “success.dat” file located in C:\ProgramData. This behavior can be used to detect this command successfully executing on a system by monitoring for the creation of this file. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.