Elaborate botnet is hijacking Microsoft servers to mine crypto

Guardicore, a data center and cloud security company, issued a report today detailing an extensive campaign by a botnet to hijack Microsoft SQL Server (MS-SQL) machines around the globe and force them to mine the cryptocurrencies Monero and Vollar.

Dubbed “Vollgar” by the company—a portmanteau of Vollar and vulgar—the campaign has continued on since it was first detected in May 2018, steadily infecting about 3,000 new machines daily across all sorts of industries, including healthcare and telecommunications.

According to Guardicore, the most-infected countries are China, India, the United States, South Korea, and Turkey, with the vast majority of attacking machines located in China. A peak of activity in December 2019 caught the company’s attention, eventually leading to today’s report.

“During its two years of activity, the campaign’s attack flow has remained similar—thorough, well-planned, and noisy,” the report reads.

The “vulgar” part of Guardicore’s naming comes from how aggressive the attackers have been at claiming possession of hijacked machines. After securing access following brute force login attempts, the botnet changes a number of settings on the machine to download malware—but it also eliminates processes that could enable other types of malware. That way, the botnet can use as much of the infected machine’s resources as possible.

Monero is a cryptocurrency that botnets often mine via infected machines. In January, a security researcher discovered a Monero-mining scheme on a web server operated by the United States Department of Defense. Also, late last year, the long-running Stantinko botnet was discovered to be using YouTube to install Monero-mining modules on computers.

Guardicore has released a detection script and indicators of infection to help server administrators determine whether their MS-SQL servers are infected or not.