Hydra-headed payload has potentially netted cybercrooks ‘tens of thousands of dollars’

A long-running cybercrime campaign has been infecting between 2,000 and 3,000 corporate Windows machines a day with crypto-mining malware and remote access trojans (RATs), security researchers have discovered.

The brute-force cyber-attacks, which target machines running Microsoft SQL (MS-SQL) server software, also install multiple backdoors, according to a post from Guardicore, an Israeli-founded data center and cloud security company, on April 1.

The ‘Vollgar’ campaign – a portmanteau combining the ‘Vollar’ cryptocurrency it mines and its apparently ‘vulgar’ behavior – has targeted victims in sectors such as healthcare, aviation, IT, telecoms, and education since May 2018, it added.

Victims were primarily based in the US, China, India, South Korea, and Turkey.

‘A vast number of attacks’

Ophir Harpaz, cybersecurity researcher at Guardicore Labs and the post’s author, wrote that “a vast number of attacks” have been launched against “about half-a-million machines” running MS-SQL servers.

“This relatively small number of potential victims triggers an inter-group competition over control and resources [that’s typical of other] recent mass-scale attacks.”

Harpaz believes the campaign is likely to have been highly lucrative for its executors.

Since Vollgar is using privacy coins, it is hard to estimate the attackers’ earnings from their nefarious project, she told The Daily Swig.

However, the scope of infection over such a long duration suggests profits could run into “tens of thousands of dollars”.


INSIGHT A guide to cryptojacking – prevent your computer from being turned into a money-making tool


The RATs and backdoors, meanwhile, also give the attackers “remote access and control of the whole botnet”, and thus access to sensitive personal data such as usernames, passwords, and credit card numbers that can later be monetized through sale on the dark web.

In her post, Harpaz criticized what she said was “oblivious or negligent registrars and hosting companies” for enabling these attacks by allowing “attackers to use IP addresses and domain names to host whole infrastructures”.

Attack origins

Guardicore Labs researchers have traced the “thorough, well-planned and noisy” attacks to more than 120 IP addresses – the vast majority of which were in China.

They believe attacks were probably launched from compromised machines that had been “repurposed to scan and infect new victims”.

Some 20% of breached servers have remained infected for at least a week, with many infections persisting beyond two weeks.

This is a testament to the attacker’s aptitude at covering their tracks and bypassing security controls – and in some cases the absence of such mitigations, the researchers suggested.

Ten percent of victims were later re-infected – prompting comparisons with the Smominru campaign, with Guardicore again concluding that sysadmins had removed malware without also identifying and addressing the infection’s root cause.

Advice to users

“To prevent infection by Vollgar and cryptomining attacks, organizations should know their perimeter and search for blind spots,” Harpaz said. “In today’s cloud and data center deployments, that’s easier said than done.

“We recommend starting by collecting netflow data and getting a full view into what parts of the data center are exposed to the internet.

“Mapping all incoming traffic to your data center is the intelligence you need to fight the war against crypto-miners.

“Next, defenders should verify that all accessible machines are running with up-to-date operating systems and strong credentials, and that services are configured according to industry best practices.”

Guardicore Labs has included an open source Powershell script and execution instructions for detecting Vollgar’s presence and indicators of compromise.

Infected machines should be immediately quarantined from other network assets, advises Harpaz.


RECOMMENDED Cybercriminals targeting enterprises with increasingly complex malware