In brief
- A botnet campaign has been infecting MS-SQL machines with malware to mine crypto.
- The infected servers have been mining Monero and Vollar for the attackers.
- The campaign is still infecting some 3,000 new machines daily around the world.
Guardicore, a data center and cloud security company, issued a report today detailing an extensive campaign by a botnet to hijack Microsoft SQL Server (MS-SQL) machines around the globe and force them to mine the cryptocurrencies Monero and Vollar.
Dubbed “Vollgar” by the company—a portmanteau of Vollar and vulgar—the campaign has continued on since it was first detected in May 2018, steadily infecting about 3,000 new machines daily across all sorts of industries, including healthcare and telecommunications.
According to Guardicore, the most-infected countries are China, India, the United States, South Korea, and Turkey, with the vast majority of attacking machines located in China. A peak of activity in December 2019 caught the company’s attention, eventually leading to today’s report.
“During its two years of activity, the campaign’s attack flow has remained similar—thorough, well-planned, and noisy,” the report reads.
The “vulgar” part of Guardicore’s naming comes from how aggressive the attackers have been at claiming possession of hijacked machines. After securing access following brute force login attempts, the botnet changes a number of settings on the machine to download malware—but it also eliminates processes that could enable other types of malware. That way, the botnet can use as much of the infected machine’s resources as possible.
Monero is a cryptocurrency that botnets often mine via infected machines. In January, a security researcher discovered a Monero-mining scheme on a web server operated by the United States Department of Defense. Also, late last year, the long-running Stantinko botnet was discovered to be using YouTube to install Monero-mining modules on computers.

A massive botnet is using YouTube to mine cryptocurrency
A new report from cybersecurity firm ESET has uncovered that the operators behind the Stantinko botnet have been using YouTube pages and channels to install crypto-jacking malware on visitors' computers. The Stantinko botnet, initially discovered in 2017 (though has been operating “covertly” since 2012), has reportedly infected more than half-a-million devices around the world, and targets users primarily in Russia, Kazakhstan, Belarus, and the Ukraine. According to ESET, the operators of the bo...
Guardicore has released a detection script and indicators of infection to help server administrators determine whether their MS-SQL servers are infected or not.