Cyber SecurityHackingTrending

Hackers installing backdoor in Windows Running MS-SQL Servers

Cybersecurity researchers have discovered a malicious campaign named Vollgar that was running from May 2018 targetting Windows machine running MS-SQL servers and installs malware, RAT( Remote Access Trojan and backdoors into them.

Microsoft SQL Server is developed by Microsoft and is a relational database management system that is used in many of the organisations of the world.

Researchers said that from past few weeks attackers have managed to compromise 2,000-3,000 MS SQL servers daily and the victims were from various sectors IT & telecommunications, healthcare, aviation and higher education from India, U.S, Turkey, South Korea.

vollagar malware attack

The researchers observed that the attacks were originated from more than 120 IP addresses and most of the hits came from China. While some of the IP was short-lived and a couple of IP’s living for more than 3 months. 

Vollagar Attack Chain: Infected My SQL Servers

Guardicore researchers after analysing the log files of the attackers we able to obtain the information of the attackers infected servers and found that 60% of the infected machine remained a short period of time and 20% of them remained infected more than two weeks and 10% of the servers were infected again and again after the system admins have removed the malware.

Threat actors are attempting to various forms of attack including password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multi-functional remote access tools (RATs) and crypto miners. 

 Guardicore researchers told.
malware infection rate
vollagar infecction rate

Researchers said that the entire infrastructure including their command and control server is located in China, that was found to be compromised by more than one attacker group. 

The workflow of Vollgar MS SQL Server Attack

The attack begins by brute-forcing the MS SQL login attempt, once the attacker breaks into the network they start changing configuration that allows execution of commands.

Also, the attackers have written two VB Scripts used for downloading over HTTP and one FTP script to avoid failure attempts and the downloader script is executed from a different location every time on the local file system.

C&C chinese servers
Vollagar C&C server

The Vollgar’s main C&C server was located in China and the machine has 10 different backdoors that were used to access read its file system contents, modify its registry, download and upload files and execute commands.

The attackers were using two different C&C servers that have the capability to download downloading files, installing new Windows services, keylogging, screen capturing, activating the camera and microphone, and even initiating a Distributed Denial-of-Service (DDoS) attack.

Vollgar’s implementing RAT Modules

The initial dropper payload used by attackers ‘SQLAGENTIDC.exe’ or ‘SQLAGENTVDC.exe’ starts killing a long list of processes using ‘taskkill’ to gain access to more computer reseorces.

After that, the RAT tries to connect to the C&C server with different port numbers.

install RAT in MS SQL
Vollager RAT module workflow

Each RAT module attempts to connect to the CNC server on a different port. Ports we’ve seen include 222519383 and 3213. It is fair to assume that the simultaneous connections are for redundancy in case one of the CNCs is down

Researchers

 The attackers were mining both Monero and an alt-coin named VDS, or Vollar.

Also, the researchers have released a script that let sysadmins to check whether any of their MS SQL servers were compromised by any of the threat.

Satender Kumar

A Blogger always fascinated with the technology and gather as much amount of knowledge from the internet. Loves to share the knowledge with the others and always available to play chess.

Related Articles

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

two × two =

Back to top button
The Tech Infinite