![]() ![]() ![]() The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie.” continues the analysis. “When enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask. ![]() Maggie implements simple TCP redirection that allows it to operate as a network bridge head from the Internet to any IP address reachable by the compromised MSSQL server. Maggie also supports commands that are passed by the attackers along with arguments appended to them. The Maggie malware supports over 51 commands to gather system information and run programs, it is also able to support network-related functionalities like enabling TermService, running a Socks5 proxy server or setting up port forwarding to make Maggie act as a bridge head into the server’s network environment. Inspecting the DLL file the experts discovered it is an Extended Stored Procedure, which allows SQL queries to run shell commands. The export directory revealed the name of the library, sqlmaggieAntiVirus_64.dll, which offers a single export called maggie. While investigating new threats, the experts discovered a suspicious file, the DLL file was signed by DEEPSoft Co., Ltd. “Once loaded into a server by an attacker, it is controlled solely using SQL queries and offers a variety of functionality to run commands, interact with files and function as a network bridge head into the environment of the infected server.” Based on this finding, we identified over 250 servers affected worldwide, with a clear focus on the Asia-Pacific region.” reads the analysis published by the researchers. ![]() “In addition, the backdoor has capabilities to bruteforce logins to other MSSQL servers while adding a special hardcoded backdoor user in the case of successfully bruteforcing admin logins. The backdoor is also able to bruteforce logins to other MSSQL servers to add a special hardcoded backdoor. Upon loading into a server, an attacker, can control it using SQL queries and offers a variety of functionality to run commands, and interact with files. The malware comes in the form of an “Extended Stored Procedure,” which are stored procedures that call functions from DLL files. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |