There’s a new malware making the rounds that targets Microsoft SQL servers and is capable of executing programs, sniffing data, intruding into other SQL servers, and dozens of other dangerous things.
The malware (opens in new tab), discovered by cybersecurity analysts from DSCO CyTec, was dubbed Maggie. Maggie is distributed by pretending to be an Extended Stored Procedure DLL, a file digitally signed by an alleged South Korean company called DEEPSoft.
Typically, Extended Stored Procedure files extend SQL query functionalities via an API that accepts remote user agreements and works with unstructured data. In Maggie’s case, this functionality is being abused to allow threat actors a total of 51 different commands, some of which we have already mentioned.
Asian countries targeted
Maggie itself is controlled through SQL queries that tell it which commands to execute and which files to use.
According to the researchers, the malware already infected hundreds of endpoints worldwide, most of which are located in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.
Knowing that Maggie attacks Microsoft SQL servers and that it has an extensive list of features, it’s safe to assume that it was built as a corporate espionage tool. However, researchers were unable to determine who the threat actors behind Maggie are, where they operate from, who they target, how they managed to land the malware on these servers (opens in new tab)and to what end.
“To install Maggie, an attacker must be able to place an ESP file in a directory accessible to the MSSQL server and must have valid credentials to load the Maggie ESP onto the server,” the researchers explained. “It is unclear how an actual attack with Maggie is carried out in the real world.”
The full list of commands identified so far can be found here link (opens in new tab).
Via: Bleeping Computer (opens in new tab)