Cloud security and data center management company Guardicore has reported a new botnet malware that has been infiltrating computers running on the Microsoft SQL Server software to mine cryptocurrency.
According to a report released on April 1st by Guardicore, the botnet has been in operation since March 2018 infecting countless computing servers in several countries. Guardicore’s report reveals that the botnet dubbed Vollgar uses the affected machines to mine both Monero [XMR] and Vollar [VDS] cryptocurrencies. The name coming from an amalgamation of the words Vollar and vulgar.
Guardicore explains that the attackers use crude methods to gain entry into these systems including installing key loggers to steal passwords and brute-forcing their way in. Once the attackers have gained entry, they then install remote access tools (RATs) that enable them to download cryptocurrency mining software and malware that disables system security mechanisms such as anti-viruses and EDRs (if they are present.)
The report details that the most affected computers are based in China, Turkey, South Korea, India and the United States of America. It seems, from Guardicore’s analysis that the command and control center for the botnet id in China but it is hard to pinpoint where in particular as the C&C could be a compromised server as well that is not owned by the attackers.
An estimate of about 2,000 to 3,000 computers are infected every day according to the report and “victims belong to various industry sectors, including healthcare, aviation, IT & telecommunications and higher education.”
Guardicore’s security researcher Ophir Harpaz said that a majority of infected computers luckily got disinfected within a short period. “However, [a minority] almost 20% of all breached servers remained infected for more than a week and even longer than two weeks.” This shows that this malware was able to operate without detection for a long time.
Guardicore provides a few recommendations on how to deal with the botnet in case you have been attacked.
“If infected, we highly recommend to immediately quarantine the infected machine and prevent it from accessing other assets in the network.” If not yet infected or you’d like to protect your servers against reinfection, “it is also important to change all your MS-SQL user account passwords to strong passwords.”