Zephyrnet Logo

Guardicore Labs: Vollgar Botnet Targets SQL Server DBs

Date:

Guardicore Labs this week published a report detailing how a malicious botnet has been using a brute force technique for nearly two years now to compromise systems running Microsoft SQL Server databases, then deploying multiple backdoors and executing numerous malicious modules including multifunctional remote access tools (RATs) and cryptominers.

Ophir Harpaz, a cybersecurity researcher for the provider of tools for microsegmenting network traffic, said the botnet, which has been dubbed Vollgar, has been active since at least May 2018. Guardicore is now making available a free Powershell script that IT security teams can use to detect Vollgar activity.

Guardicore Labs estimates Vollgar is infecting about 3,000 database machines daily. Like other bots, the Vollgar infrastructure is based on abused domain names and shell companies. The attacker uses this infrastructure to both host malicious payloads and deploy command-and-control bases, most of which reside in China. The domain vollar.ga uses the .ga top-level domain (TLD), which can be registered for free. Like many other free TLDs, .ga is wildly abused by malware providers.

Harpaz said Guardicore Labs has attempted to contact internet service providers (ISPs) to inform them of the existence of Vollgar, but none of them have responded as yet.

The majority of infected machines (60%) remained such for only a short period of time. However, almost 20% of all breached servers remained infected for more than a week or longer. Harpaz said the fact that most machines are only compromised for a short period helps explain why the botnet has gone undetected for so long.

Based on data collected by a honeypot network created by Guardicore Labs, Vollgar attacks originate in more than 120 IP addresses. These are most likely compromised machines that are being repurposed to scan and infect new victims, said Harpaz. Most of those machines appear to be compromised for a short period of time, but a couple of source IP addresses were active for more than three months.

Guadicore Labs noted 10% of the victims whose servers were taken over by Vollgar were re-infected by malware employed after a system administrator removed malware from the initial attack.

Harpaz said Vollgar is especially notable for both its thoroughness and scope of activity. For example, it makes use of two VBScripts downloading over HTTP and one FTP script. Each downloader is executed a couple of times, each time with a different target location on the local file system. Once Vollgar takes over a system it then launches a variety of malicious modules using a number of different RATs, said Harpaz, noting that compared to other bots, Vollgar is quite complex.

Of course, it may never be determined what entity constructed Vollgar. However, chances are high that if there is one bot operating at this level of sophistication, then there are others. Many organizations are underestimating the technological resources that those engaged in cybercrime have at their disposal. In fact, the only way to effectively combat these bots may be to set up another bot infused with machine learning algorithms because it’s obviously taking too long for cybersecurity research teams to discover these attacks without some form of artificial intelligence (AI) augmentation.

Featured eBook
The Bot Problem: Effective Detection, Analysis & Blocking

The Bot Problem: Effective Detection, Analysis & Blocking

Bots account for 50% of all web traffic. In the U.S. alone, threat actors will cause over $12 billion in losses by next year. How do companies fight against the ever-multiplying barrage of bot attacks from bad actors? Security experts across all industries face the same challenge: how do I improve defenses against bot-generated traffic? This ebook reveals ways … Read More

Source: https://securityboulevard.com/2020/04/guardicore-labs-vollgar-botnet-targets-sql-server-dbs/

spot_img

Latest Intelligence

spot_img