Guardicore Labs researchers have disclosed the details of a long-running malicious campaign that targets Windows machines running MS-SQL servers with various backdoors, multifunctional remote access tools (RATs) and cryptominers.
Dubbed Vollgar (after the Vollar cryptocurrency it mines and its offensive behaviour), the campaign has been active since at least May 2018. The target list includes organizations in various industry sectors, including healthcare, aviation, IT & telecommunications and higher education.
Over the past two years the attacks has remained well-planned and noisy. The researchers say the campaign managed to infect roughly three thousand database machines daily, with attacks originating from more than 120 IP addresses, most of them in China. These are most likely compromised machines, repurposed to scan and infect new victims. Some of the source IPs remained active for more than three months, according to Guardicore.
The analysis of attacker’s log files revealed that the majority of breached machines (60%) remained infected for only a short period of time, but 20% of compromised servers remained infected for over a week, and in some cases even longer than two weeks. Moreover, 10% of victims got reinfected with malware, likely because system administrators only partially removed the malware without getting to the route cause of infection.
Attacks start with MS-SQL brute force login attempts and continue with a series of database configuration changes to allow future command execution. The attacker then validates certain COM classes (WbemScripting.SWbemLocator, Microsoft.Jet.OLEDB.4.0, and Windows Script Host Object Model) are available. These classes support both WMI scripting and command execution through MS-SQL, which is used to download the initial malware binary. The threat actor also ensures that strategic files such as cmd.exe and ftp.exe have execution permissions.
The Vollgar operators then set multiple backdoor administrative users in the operating system and in the MS-SQL database context. They were also observed eliminating the activity of other threat actors and their traces.
The attackers were also observed to use three separate downloader scripts – two VBScripts downloading over HTTP and one FTP script.
“Each downloader is executed a couple of times, every time with a different target location on the local file system. This thoroughness is somewhat unusual among other attack groups, who often look for the fastest route to their goal,” the research team said.
The Vollgar main command and control server, running an MS-SQL database and a Tomcat web server, was operated from a computer in China. The server was compromised at least by one threat group. The researchers say they have found almost ten different backdoors used to access the machine, read its file system contents, modify its registry, download and upload files and execute commands.
“The attacker held their entire infrastructure on the compromised machine. Among the files was the MS-SQL attack tool, responsible for scanning IP ranges, brute-forcing the targeted database and executing commands remotely. In addition, we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP,” according to the Guardicore report.
On the compromised machines, the attackers deploy an initial payload to eliminate competitors and fetch additional payloads, including multiple RAT modules and an XMRig-based cryptominer to mine for Monero and an alt-coin named VDS, or Vollar.