The botnet was first spotted in May 2018, when it was that targeting Windows machines running MS-SQL servers to deploy a broad range of malware, including RAT and miners.
“Dating back to May 2018, the campaign uses password brute force to breach victim machines, deploys multiple
The botnet targets MS-SQL servers exposed online with weak credentials, according to the experts, attackers managed to successfully infect nearly 2,000-3,000 installs per day over the past few weeks.
“For example, the attacker validates that certain COM classes are available – WbemScripting.SWbemLocator, Microsoft.Jet.OLEDB.4.0 and Windows Script Host Object Model (wshom). These classes support both WMI scripting and command execution through MS-SQL, which will be later used to download the initial malware binary. The Vollgar attacker also ensures that strategic files such as cmd.exe and ftp.exe have execution permissions.” continues the analysis.
The botnet operators also set multiple backdoor users on the target server and on the MS-SQL DB, they added the users to the administrators group.
The analysis of the log files revealed that the majority (60%) of
Then the attackers create separate downloader scripts (two VBScripts and one FTP script), to prepare for possible failures. Each script is executed a couple of times, every time with a different target location on the local file system.
The botnet C2 infrastructure is composed of compromised machines, the primary command-and-control server is located in China
“Among the files [on the C&C server] was the MS-SQL attack tool, responsible for scanning IP ranges, brute-forcing the targeted database, and executing commands remotely,” states Guardicore. “In addition, we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP.”
Admins could check whether their machine has been infected by the Vollgar miner using an open-source Powershell script developed by the researchers. The script is available in the campaign’s IOCs repository.
“What makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold. These machines possibly store personal information such as
(SecurityAffairs – Vollgar botnet, MSSQL)