The threat-hunting company DCSO CyTec’s security researchers have discovered a new backdoor that has been attacking Microsoft SQL (MSSQL) servers.
The threat, known as Maggie, is being introduced as a signed Extended Stored Procedure (ESP) DLL file, an MSSQL extension. It can only be managed using SQL queries once it is installed and running on a target server. The backdoor can be used by the attackers to get a foothold in the compromised environment and supports a variety of features, including the capacity to execute commands and interact with files.
A hardcoded backdoor user can also be added by using brute force attacks against admin accounts on other MSSQL servers by Maggie.