Vollgar
Microsoft SQL (MS-SQL) servers are being targeted by a new piece of malware called Vollgar. The attacks are executed in a very brutish way since the attackers do not look for any outdated software that may hide vulnerabilities – instead, they use automated scanning tools to look for Microsoft SQL Servers that are exposed to the Internet. If a connection is made, the tool will then proceed to try to brute-force the login credentials – if the system administrator has failed to use a strong password, then the attacker may manage to access the MS-SQL server successfully and begin the attack.
The first thing that the attackers do on the compromised host is to install a copy of the Vollgar Trojan backdoor that allows them to execute remote commands. Researchers estimate that the hackers have been infecting approximately 2,000-3,000 servers a day for the past couple of weeks. Their victims fall into various categories – healthcare, telecommunications and IT.
The Vollgar Backdoor is Used to Install RATs and Cryptocurrency Miners
Once the backdoor is initialized, it is used to prepare the system for future infections:
- The backdoor runs pre-made downloader scripts that download additional payloads to multiple system folders, therefore making it more difficult to find and eradicate all intrusive software.
- A script is used to disable processes that may hog system resources. The attack also focuses on disabling any existing cryptocurrency mining software.
- Finally, the Vollgar backdoor is used to deploy Remote Access Trojans (RATs) and cryptocurrency mining software to the infected machine.
Usually, Trojanized cryptocurrency miners focus on mining for Monero, and this also is the case with the Vollgar. However, it also executes an additional miner, which mines for the alt-coin Vollar. Judging by the tasks that Vollgar is able to execute on infected hosts, it is safe to assume that it has the ability to deploy additional payloads, retrieve system information, manage processes and services, and even initiate a keylogging module.
System administrators should make sure to protect all Internet-connected software with strong, long credentials. It also is recommended to keep servers protected by an up-to-date anti-malware software suite.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.