Hundreds of Microsoft SQL servers around the world have already been infected by the novel backdoor dubbed "Maggie," with the malware infections being most prevalent in South Korea, India, Vietnam, China, Russia, Germany, Thailand, and the U.S., reports BleepingComputer.
DCSO CyTec researchers discovered that Maggie impersonates a DEEPSoft Co. Ltd-signed Extended Storage Procedure DLL to facilitate remote backdoor access. Numerous commands are also supported by Maggie, including system information querying and program execution, which could be appended with arguments, according to researchers. Attackers could also leverage Maggie's TCP redirection functionality to establish a connection to reachable IP addresses. "When enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask. The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie," said DCSO CyTec.