Hundreds of Microsoft SQL servers around the world have already been infected by the novel backdoor dubbed "Maggie," with the malware infections being most prevalent in South Korea, India, Vietnam, China, Russia, Germany, Thailand, and the U.S., reports BleepingComputer.
DCSO CyTec researchers discovered that Maggie impersonates a DEEPSoft Co. Ltd-signed Extended Storage Procedure DLL to facilitate remote backdoor access. Numerous commands are also supported by Maggie, including system information querying and program execution, which could be appended with arguments, according to researchers. Attackers could also leverage Maggie's TCP redirection functionality to establish a connection to reachable IP addresses. "When enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask. The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie," said DCSO CyTec.
Malicious GitHub pages and YouTube videos containing links for purported cracked office software, automated trading bots, and game cheats, have been leveraged to facilitate the download of self-extracting password-protected archives.
While threat actors continued to impersonate employers on job search platforms to lure software developers into participating in an online interview that would be followed by BeaverTail malware compromise, more recent attacks entailed the deployment of a new Qt-based BeaverTail version that enabled browser credential and cryptocurrency wallet data exfiltration.