FortiGuard Labs is aware of reports that a new backdoor called “Maggie” targets Microsoft SQL servers. Maggie connects to Command and Control (C2) servers for remote commands and supports a variety of commands such as downloading, executing,and deleting files and propagates to other SQL servers through bruteforcing as well as unknown exploit commands. Based on external reports, most infected Microsoft SQL servers are in Asia.Why is this Significant?This is significant because Maggie is a new backdoor malware that has reportedly infected Microsoft SQL servers around the globe, with heavy concentration in Asia. The backdoor allows a remote attacker to control infected SQL servers. Maggie also supports commands to propagate to other SQL servers through bruteforcing.What is Maggie malware?Maggie is a backdoor malware that targets Microsoft SQL servers. The backdoor allows a remote attacker to control infected servers and supports commands such as downloading, executing and deleting files, turning on and off remote desktop services (TermService) as well as propagating to other SQL servers through bruteforcing. Reportedly, Maggie is also capable of accepting unidentified exploit related commands.The attacker disguised Maggie as “sqlmaggieAntiVirus_64.dll” signed with a digital certificate belonging to a company in South Korea. The file is an Extended Stored Procedure (ESP) DLL that the malware abuses for backdoor activities.At the time of this writing, an initial infection vector has not been identified.What is the Status of Protection?FortiGuard Labs provides the following AV signatures for Maggie malware and relevant files:W64/JuicyPotato.AI!trRiskware/Inject.HEUR!tr.pwsAll network IOCs are blocked by the WebFiltering client.
More Stories
libxml2-2.12.9-1.fc40
FEDORA-2024-9f3765a04b Packages in this update: libxml2-2.12.9-1.fc40 Update description: Update to 2.12.9 Fixes CVE-2024-40896 Read More
libxml2-2.12.9-1.fc41
FEDORA-2024-867a14de12 Packages in this update: libxml2-2.12.9-1.fc41 Update description: Update to 2.12.9 Fixes CVE-2024-40896. Read More
iwd-3.3-1.fc40 libell-0.71-1.fc40
FEDORA-2024-0fa283c43a Packages in this update: iwd-3.3-1.fc40 libell-0.71-1.fc40 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
iwd-3.3-1.fc41 libell-0.71-1.fc41
FEDORA-2024-256818da09 Packages in this update: iwd-3.3-1.fc41 libell-0.71-1.fc41 Update description: iwd 3.3: Fix issue with handling External Authentication. iwd 3.2: Fix...
A Vulnerability in Apache Struts2 Could Allow for Remote Code Execution
A vulnerability has been discovered in Apache Struts2, which could allow for remote code execution. Apache Struts2 is an open-source...
CyberDanube Security Research 20241219-0 | Authenticated Remote Code Execution in Ewon Flexy 205
Posted by Thomas Weber | CyberDanube via Fulldisclosure on Dec 21 CyberDanube Security Research 20241219-0 ------------------------------------------------------------------------------- title| Authenticated Remote Code...