Cybersecurity researchers have discovered a malicious campaign named Vollgar that was running from May 2018 targetting Windows machine running MS-SQL servers and installs malware, RAT( Remote Access Trojan and backdoors into them.
Microsoft SQL Server is developed by Microsoft and is a relational database management system that is used in many of the organisations of the world.
Researchers said that from past few weeks attackers have managed to compromise 2,000-3,000 MS SQL servers daily and the victims were from various sectors IT & telecommunications, healthcare, aviation and higher education from India, U.S, Turkey, South Korea.
The researchers observed that the attacks were originated from more than 120 IP addresses and most of the hits came from China. While some of the IP was short-lived and a couple of IP’s living for more than 3 months.
Vollagar Attack Chain: Infected My SQL Servers
Guardicore researchers after analysing the log files of the attackers we able to obtain the information of the attackers infected servers and found that 60% of the infected machine remained a short period of time and 20% of them remained infected more than two weeks and 10% of the servers were infected again and again after the system admins have removed the malware.
Threat actors are attempting to various forms of attack including password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multi-functional remote access tools (RATs) and crypto miners.Guardicore researchers told.
Researchers said that the entire infrastructure including their command and control server is located in China, that was found to be compromised by more than one attacker group.
The workflow of Vollgar MS SQL Server Attack
The attack begins by brute-forcing the MS SQL login attempt, once the attacker breaks into the network they start changing configuration that allows execution of commands.
Also, the attackers have written two VB Scripts used for downloading over HTTP and one FTP script to avoid failure attempts and the downloader script is executed from a different location every time on the local file system.
The Vollgar’s main C&C server was located in China and the machine has 10 different backdoors that were used to access read its file system contents, modify its registry, download and upload files and execute commands.
The attackers were using two different C&C servers that have the capability to download downloading files, installing new Windows services, keylogging, screen capturing, activating the camera and microphone, and even initiating a Distributed Denial-of-Service (DDoS) attack.
Vollgar’s implementing RAT Modules
The initial dropper payload used by attackers ‘SQLAGENTIDC.exe’ or ‘SQLAGENTVDC.exe’ starts killing a long list of processes using ‘taskkill’ to gain access to more computer reseorces.
After that, the RAT tries to connect to the C&C server with different port numbers.
Each RAT module attempts to connect to the CNC server on a different port. Ports we’ve seen include 22251, 9383 and 3213. It is fair to assume that the simultaneous connections are for redundancy in case one of the CNCs is downResearchers
The attackers were mining both Monero and an alt-coin named VDS, or Vollar.
Also, the researchers have released a script that let sysadmins to check whether any of their MS SQL servers were compromised by any of the threat.