Sophisticated Mining Botnet Identified After 2 Years

Cointelegraph spoke to Guardicore’s Ophir Harpaz regarding the recently identified crypto mining botnet Vollgar.

Cybersecurity firm, Guardicore Labs, revealed the identification of a malicious crypto-mining botnet that has been operating for nearly two years on April 1.

The threat actor, dubbed ‘Vollgar’ based on its mining of the little-known altcoin, Vollar (VSD), targets Windows machines running MS-SQL servers — of which Guardicore estimates there are just 500,000 in existence worldwide.

However, despite their scarcity, MS-SQL servers offer sizable processing power in addition to typically storing valuable information such as usernames, passwords, and credit card details.

Sophisticated crypto-mining malware network identified

Once a server is infected, Vollgar “diligently and thoroughly kills other threat actors’ processes,” before deploying multiple backdoors, remote access tools (RATs), and crypto miners.

60% were only infected by Vollgar for a short duration, while roughly 20% remained infected for up to several weeks. 10% of victims were found to have been reinfected by the attack. Vollgar attacks have originated from more than 120 IP addresses, most of which are located in China. Guardicore expects most of the addresses corresponding to compromised machines that are being used to infect new victims.

Guidicore lays part of the blame with corrupt hosting companies who turn a blind eye to threat actors inhabiting their servers, stating:

“Unfortunately, oblivious or negligent registrars and hosting companies are part of the problem, as they allow attackers to use IP addresses and domain names to host whole infrastructures. If these providers continue to look the other way, mass-scale attacks will continue to prosper and operate under the radar for long periods of time.”

Vollgar mines or two crypto assets

Guardicore cybersecurity researcher, Ophir Harpaz, told Cointelegraph that Vollgar has numerous qualities differentiating it from most cryptojacking attacks.

“First, it mines more than one cryptocurrency – Monero and the alt-coin VSD (Vollar). Additionally, Vollgar uses a private pool to orchestrate the entire mining botnet. This is something only an attacker with a very large botnet would consider doing.”

Harpaz also notes that unlike most mining malware, Vollgar seeks to establish multiple sources of potential revenue by deploying multiple RATs on top of the malicious crypto miners. “Such access can be easily translated into money on the dark web,” he adds.

Vollgar operates for nearly two years

While the researcher did not specify when Guardicore first identified Vollgar, he states that an increase in the botnet’s activity in December 2019 led the firm to examine the malware more closely.

“An in-depth investigation of this botnet revealed that the first recorded attack dated back to May 2018, which sums up to nearly two years of activity,” said Harpaz.

Cybersecurity best practices

To prevent infection from Vollgar and other crypto mining attacks, Harpaz urges organizations to search for blind spots in their systems.

“I would recommend starting with collecting netflow data and getting a full view into what parts of the data center are exposed to the internet. You cannot enter a war without intelligence; mapping all incoming traffic to your data center is the intelligence you need to fight the war against cryptominers.” 

“Next, defenders should verify that all accessible machines are running with up-to-date operating systems and strong credentials,” he adds.

Opportunistic scammers leverage COVID-19

In recent weeks, cybersecurity researchers have sounded the alarm regarding a rapid proliferation in scams seeking to leverage coronavirus fears.

Last week, U.K. county regulators warned that scammers were impersonating the Center for Disease Control and Prevention and the World Health Organization to redirect victims to malicious links or to fraudulently receive donations as Bitcoin (BTC).

At the start of March, a screen lock attack circulating under the guise of installing a thermal map tracking the spread of coronavirus called ‘CovidLock’ was identified.