Vollgar botnet has managed to infect around 3k MSSQL DB servers daily

Cybersecurity researchers spotted a crypto-mining botnet, tracked as Vollgar, that has been hijacking MSSQL servers since at least 2018.

Researchers at Guardicore Labs discovered a crypto-mining botnet, tracked as Vollgar botnet, that is targeting MSSQL databases since 2018. The botnet is used to launch brute-force attacks against MSSQL databases to take over servers and install Monero and Vollar cryptocurrency miners.

The botnet was first spotted in May 2018, when it was that targeting Windows machines running MS-SQL servers to deploy a broad range of malware, including RAT and miners.

“Guardicore Labs team has recently uncovered a long-running attack campaign which aims to infect Windows machines running MS-SQL servers.” reads the analysis published by Guardicore.

“Dating back to May 2018, the campaign uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools (RATs) and cryptominers. We dubbed the campaign Vollgar after the Vollar cryptocurreny it mines and its offensive, vulgar behaviour.”

The botnet targets MS-SQL servers exposed online with weak credentials, according to the experts, attackers managed to successfully infect nearly 2,000-3,000 installs per day over the past few weeks.

The botnet tatgeted victims in various industries, including healthcare, aviation, IT & telecommunications and higher education sectors.

Upon a successful MS-SQL brute force attack, hackers perform a series of configuration changes to the database to allow future command execution.

“For example, the attacker validates that certain COM classes are available – WbemScripting.SWbemLocator, Microsoft.Jet.OLEDB.4.0 and Windows Script Host Object Model (wshom). These classes support both WMI scripting and command execution through MS-SQL, which will be later used to download the initial malware binary. The Vollgar attacker also ensures that strategic files such as cmd.exe and ftp.exe have execution permissions.” continues the analysis.

The botnet operators also set multiple backdoor users on the target server and on the MS-SQL DB, they added the users to the administrators group.

The analysis of the log files revealed that the majority (60%) of infected server remained such for only a short period of time, however 20% of the infected installs remained infected for more than a week and even longer than two weeks. This circumstance suggests the attackers are able to fly under the radar evading detection.

Then the attackers create separate downloader scripts (two VBScripts and one FTP script), to prepare for possible failures. Each script is executed a couple of times, every time with a different target location on the local file system. 

The botnet C2 infrastructure is composed of compromised machines, the primary command-and-control server is located in China

“Among the files [on the C&C server] was the MS-SQL attack tool, responsible for scanning IP ranges, brute-forcing the targeted database, and executing commands remotely,” states Guardicore. “In addition, we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP.”

Admins could check whether their machine has been infected by the Vollgar miner using an open-source Powershell script developed by the researchers. The script is available in the campaign’s IOCs repository.

“What makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold. These machines possibly store personal information such as usernames, passwords, credit card numbers, etc., which can fall into the attacker’s hands with only a simple brute-force.” conclude the experts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Vollgar botnet, MSSQL)

[adrotate banner=”5″]

[adrotate banner=”13″]