Since May 2018, a malware botnet call Vollgar has been launching brute force attacks against Microsoft SQL (MSSQL) databases to take over administrator accounts and then install cryptocurrency mining scripts on the underlying operating system.

The researchers named it “Vollgar” after the Vollar cryptocurrency that it mines and uses a password brute force attack to breach SQL servers exposed to the Internet and with weak credentials. Attackers have been reported to have successfully infected nearly 2,000-3,000 database servers daily in recent weeks, with potential victims from the healthcare, aviation, and telecommunications, and higher education sectors in China, India, and the United States. , South Korea and Turkey.

Brute force attacks seeking to guess the password of MSSQL servers have sprayed the entire Internet. And it is said that as of May 2018, they have more than 120 IP addresses used to launch attacks, with most of the IP coming from China.

Fortunately for those concerned, Security Officers released a script to allow sysadmins to detect if any of their Windows MS-SQL servers have been compromised by this particular threat.

How the Vollgar malware attack works

The Vollgar attack begins with brute force login attempts on MS-SQL servers, which, when successful, allow the attacker to execute a series of configuration changes to execute malicious MSSQL commands and download malware binaries in addition to Ensuring that cmd.exe and ftp.exe executables have the necessary execute permissions, the operator behind Vollgar also creates new backdoor on users of MSSQL database.

Vollgar acts as an installer for different types of RAT and a crypto miner based on XMRig that extracts Monero and an alternative currency called VDS or Vollar which, as we have seen in previous posts, can cause problems in our computer equipment.


2 comentarios en «Vollgar – Malware that is launched with brute force»

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *