Cybersecurity researchers uncovered the malware that was exploiting Microsoft SQL servers to mine cryptocurrency for nearly two years.
Guardicore Labs, the cybersecurity company, said the malware “Vollgar” employed password brute-force to breach Microsoft SQL servers with weak credentials exposed to the Internet, reports Hacker News.
The malicious program was called after Vollar (VDS), the digital currency that it mines. The name is also associated with its offensive and even “vulgar” mode of operation.
Cybersecurity experts reported that hackers managed to infect nearly 2,000-3,000 database servers every day within the last few weeks. Their victims most possibly are healthcare institutions, aviation, IT and telecommunication, higher education sectors. Targets of “Vollgar” are mainly located in China, India, South Korea as well as in the United States and Turkey.
Attacks came from China
According to Hacker News, hackers start the attack with brute-force login attempts on Microsoft SQL servers. In case of success, servers allow the intruder to make configuration changes, that run malicious server commands and download malware files.
Aside from that, hackers create new privileged backdoor users to the MS-SQL database and operating system. Malware then deletes a long list of processes in order to secure the maximum amount of system recourses. It also aims to remove the presence of other threat “actors” from the infected machine.
Furthermore, the malware drops different RATs and cryptocurrency miners, based on Monero (XRM) rig. These rigs mine digital coins like Monero and Vollar (VDS).
The cybersecurity experts disclosed that the whole infrastructure of these attacks was held on the compromised machines, including the primary command-and-control server in China. It is interesting, that the same Chinese server has already been attacked previously by various hackers.
Guardicore Labs even release a script to help companies detect if their MS-SQL servers have been compromised by “Vollgar”.