‘Vulgar’ botnet targets Microsoft SQL servers to process digital currency

Getting your Trinity Audio player ready...

A new malicious script infecting Microsoft SQL servers has been identified, the latest cybersecurity threat to rely on digital currency computing to profit from its victims.

The campaign, which researchers say began in May 2018, has been targeting Windows machines operating SQL servers, deploying backdoors and various types of malware—including digital currency processing scripts.

Dubbed ‘Vollgar’, after the digital currency it mines, the botnet is said to use password brute-force techniques to hack servers with weak credentials. Some 2,000-3,000 machines are thought to have been infected over the last couple of weeks, with victims mainly companies and higher education facilities worldwide.

Researchers at Guardicore Labs said once a password hack has been successful, the malware goes on to affect changes to the configuration of hosted servers:

“Attackers [also] validate that certain COM classes are available – WbemScripting.SWbemLocator, Microsoft.Jet.OLEDB.4.0 and Windows Script Host Object Model (wshom). These classes support both WMI scripting and command execution through MS-SQL, which will be later used to download the initial malware binary.”

According to Guardicore, the entire infrastructure of the hack is stored on compromised computers, with its main hub traced back to a computer that had itself been infected.

“Among the files [on the C&C server] was the MS-SQL attack tool, responsible for scanning IP ranges, brute-forcing the targeted database, and executing commands remotely.”

“In addition, we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP.”

In their report, the researchers concluded that database servers were valuable to hackers beyond digital currency processing, potentially storing huge amounts of sensitive data, such as names, usernames, passwords and credit cards.

“What makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold. These machines possibly store personal information such as usernames, passwords, credit card numbers, etc., which can fall into the attacker’s hands with only a simple brute-force.”