- Joined
- Jun 28, 2020
- Messages
- 6,314
- Reaction score
- 711
- Points
- 212
- Awards
- 2
During the campaign, criminals deploy cryptominers and trojans for remote access on compromised servers.
Starting in May 2018, cybercriminals during the Vollgar malware campaign hack thousands of vulnerable Microsoft SQL servers (MSSQL) daily via brute force, install backdoors and download cryptocurrency miners and trojans for remote access.
According to experts from the Guardicore Labs team, this malicious campaign is still actively infecting from 2 thousand to 3 thousand MSSQL servers every day. The campaign was called Vollgar, because criminals place scripts for mining the cryptocurrency Monero (XMR) and Vollar (VDS) on compromised servers.
According to experts, Vollgar attacks are carried out with approximately 120 IP addresses located mainly in China. Presumably, they are previously hacked MSSQL servers used to scan the Web for other potential targets.
“Vollgar's main management server was running from a computer in China. It was found that a server with an MS-SQL database and a Tomcat web server was compromised by more than one grouping. We found almost ten different backdoors used to access a computer, read the contents of its file system, modify the registry, upload and download files, and execute commands. However, the device worked as usual. Malicious activity can be detected among running tasks, active sessions and user lists with administrative privileges, however, the server owners did not notice this, ”the experts said.
Criminals can carry out a wide range of malicious actions using two C&C servers used throughout the campaign: from downloading files, installing Windows services and launching keyloggers with the ability to take screenshots, activate a web camera or microphone on a compromised server, as well as DDoS -attack.
The victims of the malicious campaign were companies and enterprises of various industries, including healthcare, aviation, information technology, telecommunications and higher education in China, India, the USA, South Korea and Turkey.
Starting in May 2018, cybercriminals during the Vollgar malware campaign hack thousands of vulnerable Microsoft SQL servers (MSSQL) daily via brute force, install backdoors and download cryptocurrency miners and trojans for remote access.
According to experts from the Guardicore Labs team, this malicious campaign is still actively infecting from 2 thousand to 3 thousand MSSQL servers every day. The campaign was called Vollgar, because criminals place scripts for mining the cryptocurrency Monero (XMR) and Vollar (VDS) on compromised servers.
According to experts, Vollgar attacks are carried out with approximately 120 IP addresses located mainly in China. Presumably, they are previously hacked MSSQL servers used to scan the Web for other potential targets.
“Vollgar's main management server was running from a computer in China. It was found that a server with an MS-SQL database and a Tomcat web server was compromised by more than one grouping. We found almost ten different backdoors used to access a computer, read the contents of its file system, modify the registry, upload and download files, and execute commands. However, the device worked as usual. Malicious activity can be detected among running tasks, active sessions and user lists with administrative privileges, however, the server owners did not notice this, ”the experts said.
Criminals can carry out a wide range of malicious actions using two C&C servers used throughout the campaign: from downloading files, installing Windows services and launching keyloggers with the ability to take screenshots, activate a web camera or microphone on a compromised server, as well as DDoS -attack.
The victims of the malicious campaign were companies and enterprises of various industries, including healthcare, aviation, information technology, telecommunications and higher education in China, India, the USA, South Korea and Turkey.