Vollgar Cryptocurrency Botnet

Vollgar is a botnet that has targeted Microsoft SQL database servers since 2018.

Threat ID:: CC-3418
Category:: Botnet
Threat Severity:: Low
Threat Vector:: Insecure network
Published:: 2 April 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Vollgar is a botnet that has targeted Microsoft SQL database servers since 2018.

Affected platforms

The following platforms are known to be affected:

Microsoft SQL Server

Microsoft SQL Server - All versions

Threat details

Vollgar is distributed via brute-force attacks cracking administrative account passwords.

When a server is compromised, Vollgar stops a range of other processes from running to gain more resources for itself. Vollgar then sends the device's IP and geolocation to a command and control server. Further modules are installed including remote access trojans and a cryptocurrency miner based on XMRig. Vollgar mines the Monero and Vollar cryptocurrencies.

Remediation steps

Type	Step
	To prevent and detect an infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Type

Step

To prevent and detect an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Indicators of compromise

Main indicators

IP Addresses

183.131.3[.]196
192.37.90[.]118
39.109.116[.]162
154.221.26[.]108
103.53.211[.]94
185.172.66[.]203
51.105.249[.]223
154.211.14[.]66
154.221.19[.]221
145.239.23[.]7
180.97.220[.]5
207.180.202[.]208

URLs

vollar[.]ga

Filenames

SQLAGENTIDC.exe
SQLAGENTVDC.exe
SQLAGENTSWA.exe
SQLIOMDSA.exe
SQLamd.exe
SQLIOMDSD.exe
SQLSernsf.exe
SQLSerasi.exe
sqlagentc.exe
startas.bat
startae.bat
vbs.tmp
wget.vbs
emsda.vbs
usdta.vbs

Services

SQLAGENT MSSQL SQLIOSIMSA

Scheduled Tasks

.NET Framework NGEN v0.2.212294
.NET Framework NGEN v0.2.212294 64
.NET Framework NGEN v0.2.213394
.NET Framework NGEN v0.2.213394 64
.NET Framework NGEN v0.2.214294
.NET Framework NGEN v0.2.214294 64
.NET Framework NGEN v0.2.215394
.NET Framework NGEN v0.2.215394 64

Credentials

Usernames
- guest
- IUER_SERVER
- sql
- web
Passwords
- hywjs!14
- Yuan00852

Last edited: 29 June 2021 12:01 pm