Cyber attacks on Enterprises have been on the rise, post the COVID period. The Sophistication of Malwares that are used in these attacks has gained strength in terms of ease of execution and with reference to the wider spectrum of targets in the arena. The A “Heat Map” published by ‘DCSO CyTec’, of Maggie, the backdoor Malware, affecting Microsoft SQL servers; has been making rounds in the internet since a week now. India figures among the maximum to have borne the brunt of this attack among “Maggie” among countries like, South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States.
Analysis of the malware reveal that it disguises as an ‘Extended Stored Procedure DLL’ (“sqlmaggieAntiVirus_64.dll”) that is digitally signed by DEEPSoft Co. Ltd, a company that appears to be based in South Korea. The backdoor was discovered by German analysts Johann Aydinbas and Axel Wauer of the DCSO CyTec. DCSO CyTec also reports that that the variety of commands supported by Maggie allow querying for system information, executing programs, interacting with files and folders, enabling remote desktop services (TermService), running a SOCKS5 proxy, and setting up port forwarding, supports execution of arguments, append arguments using commands; on MS SQL. Additionally, Maggie is controlled through SQL queries that instruct it to run commands and interact with files as a methodology. It has also been reported that the queries also are possible through brute-forcing administrator logins to other Microsoft SQL servers, and hence further doubling as a bridge head into the server’s network environment.
Why India is Affected the most by Maggie
India being the Software Coding Hub, for the Globe, hosts over 40 percent of the MS SQL Deployment, both in enterprises and software development environment. The academia in India is the largest in the world; Of the 4,200 Engineering colleges offering B.Tech/B.E, approximately 3000 in numbers offer computer education. Hence, we see the installation of MS SQL on a larger platter than other countries.
Maggie network bridge
Most Malwares operate among other, on a principle of “Masquerading” to ensure that the camouflage is maintained during attack, and also for the fact that the attacker who does not know the internal IP Schema of the Enterprise/Organisation, still need to find the connection to the desired Server (In this case the MS SQL Server).
In the case of “Maggie,” the malware provides a simple TCP redirection functionality, which allows remote attackers to connect to any IP address, subsequently, this enables the connect to the desired MS SQL Server internally.
“When enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask” – DCSO CyTec
Further, the attacker through scrips can enable port reuse, Redirection, Mask the presence of Maggie, Stealth Management, etc. It also has the capability of the SOCKS5 proxy functionality to be routing all the network packets through a proxy server.