Maggie Malware Infected Hundreds of Microsoft SQL servers

Conti Ransomware Gang Hacking Microsoft Exchange Servers Using ProxyShell Exploit

VTA-00424 – Maggie Malware Infected Hundreds of Microsoft SQL servers

A novel backdoor malware named Maggie that targets Microsoft SQL servers has infected hundreds of machines all over the world. The malware disguises itself as an Extended Stored Procedure DLL, a special type of extension used by Microsoft SQL servers. Once Maggie is loaded into a server by an attacker, it is controlled through SQL queries to run commands. Maggie contains variety of commands that allow querying for system information, executing programs, interacting with files and folders, enabling remote desktop services (TermService), running a SOCKS5 proxy, and setting up port forwarding.

Maggie can also act as a bridge head into the server’s network environment and brute-force administrator logins to other Microsoft SQL servers while adding a special hardcoded backdoor user in the case of successfully brute-forcing admin logins. Currently, some of the Maggie’s details are still unknown, such as the post-infection use of Maggie, how the malware is planted in the servers in the first place and who is behind these attacks.


Attack Surfaces:
Server OS

Command and Control, Credential Access, Execution, Persistence

Brute Force, Proxy, Input Capture, Scheduled Task/Job, Hijack Execution Flow

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Network Manipulation, Network Monitoring, Security Controls, System Activity Monitoring, User Training

Indicator of Compromise:

SuperPRO’s Threat Countermeasures Procedures: 
1.  To add the IOC signature into endpoint security protection as the custom threat detection rules. Refer to the provided IOC to create a custom rule to block the respective File Hashes and Hostname, if necessary.
2. Use master key which can be protected by the service key or by a secure password provided by the user.
3. Enable strong password policy for all accounts.
4. Ensure CONNECT permissions on the ‘guest user’ is Revoked within all SQL Server databases excluding the master, msdb and tempdb.
5. Ensure ‘sa’ Login Account has been renamed.
6. Consider placing the Microsoft sql server behind a VPN, preventing public access.
7. It is important to keep anti-malware and security solutions enabled at all times.

Contributed by:  Hui

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>