Instances SQL Server - Backdoor Maggie

SQL Server instances infected with the Maggie backdoor

On several hundred SQL Server instances, security analysts have discovered a new backdoor named Maggie! Using it, hackers execute remote commands on the compromised host using malicious SQL queries.

First of all, you should know that it is the security analysts Johann Aydinbas and Axel Wauer of DCSO CyTec who made the discovery of this backdoor. Once in place on a server running a SQL Server instance, the Maggie backdoor is controlled through SQL queries who give him instructions, in particular for execute commands or interact with files. It can also be used to perform brute force attacks on other SQL instances.

Based on the telemetry data, security researchers at DCSO CyTec were able to create a heatmap that shows where the servers infected by this backdoor are located. It can be seen that the infected instances are located all over the worldeven if there are some countries more affected such as India, Vietnam, Russia, South Korea, Germany or the United States.

Out of a total of 600,000 servers analyzed worldwide, it turns out that 285 servers are infected with the Maggie backdoor.

Security - SQL Server - Backdoor Maggie

According to the analysis carried out by Johann Aydinbas and Axel Wauer, this backdoor disguises itself in the form ofan “Extended Stored Procedure” DLL named “sqlmaggieAntiVirus_64.dll” added to SQL Server.

Thus, additional functions are added to SQL Server in order to support new commands that can be executed via a remote API: Maggie brings a set of 51 commands ! There is the possibility to read the contents of files, to set up port forwarding, a reverse shell or even to activate the Remote Desktop on the server. The list also refers to 4 exploits but they are not included with the backdoor so security researchers could not test them.

Maggie Backdoor - List of Commands
Source : DCSO CyTec

Furthermore, Maggie acts as a relay to reach any machine on the network that the SQL Server host is able to contact! This is possible thanks to a TCP redirection feature. Analysts say:When enabled, Maggie redirects any incoming connection (on whatever port the MSSQL server is listening on) to a previously defined IP and port, if the source IP address matches an IP mask user specified“.

For the moment, there is still information to be determined: what is the group of cybercriminals behind these attacks? What vulnerabilities were initially exploited to compromise the SQL Server instance in order to deploy the backdoor?


Logiciel – OS,Sécurité,Microsoft,SQL Server,

#SQL #Server #instances #infected #Maggie #backdoor

Leave a Comment

Your email address will not be published. Required fields are marked *