Sophisticated Mining Botnet Identified After 2 Years

Published at: April 5, 2020

Cybersecurity firm, Guardicore Labs, revealed the identification of a malicious crypto-mining botnet that has been operating for nearly two years on April 1.

The threat actor, dubbed ‘Vollgar’ based on its mining of the little-known altcoin, Vollar (VSD), targets Windows machines running MS-SQL servers — of which Guardicore estimates there are just 500,000 in existence worldwide.

However, despite their scarcity, MS-SQL servers offer sizable processing power in addition to typically storing valuable information such as usernames, passwords, and credit card details.

Sophisticated crypto-mining malware network identified

Once a server is infected, Vollgar “diligently and thoroughly kills other threat actors’ processes,” before deploying multiple backdoors, remote access tools (RATs), and crypto miners.

60% were only infected by Vollgar for a short duration, while roughly 20% remained infected for up to several weeks. 10% of victims were found to have been reinfected by the attack. Vollgar attacks have originated from more than 120 IP addresses, most of which are located in China. Guardicore expects most of the addresses corresponding to compromised machines that are being used to infect new victims.

Guidicore lays part of the blame with corrupt hosting companies who turn a blind eye to threat actors inhabiting their servers, stating:

“Unfortunately, oblivious or negligent registrars and hosting companies are part of the problem, as they allow attackers to use IP addresses and domain names to host whole infrastructures. If these providers continue to look the other way, mass-scale attacks will continue to prosper and operate under the radar for long periods of time.”

Vollgar mines or two crypto assets

Guardicore cybersecurity researcher, Ophir Harpaz, told Cointelegraph that Vollgar has numerous qualities differentiating it from most cryptojacking attacks.

“First, it mines more than one cryptocurrency - Monero and the alt-coin VSD (Vollar). Additionally, Vollgar uses a private pool to orchestrate the entire mining botnet. This is something only an attacker with a very large botnet would consider doing.”

Harpaz also notes that unlike most mining malware, Vollgar seeks to establish multiple sources of potential revenue by deploying multiple RATs on top of the malicious crypto miners. “Such access can be easily translated into money on the dark web,” he adds.

Vollgar operates for nearly two years

While the researcher did not specify when Guardicore first identified Vollgar, he states that an increase in the botnet’s activity in December 2019 led the firm to examine the malware more closely.

“An in-depth investigation of this botnet revealed that the first recorded attack dated back to May 2018, which sums up to nearly two years of activity,” said Harpaz.

Cybersecurity best practices

To prevent infection from Vollgar and other crypto mining attacks, Harpaz urges organizations to search for blind spots in their systems.

“I would recommend starting with collecting netflow data and getting a full view into what parts of the data center are exposed to the internet. You cannot enter a war without intelligence; mapping all incoming traffic to your data center is the intelligence you need to fight the war against cryptominers.” 

“Next, defenders should verify that all accessible machines are running with up-to-date operating systems and strong credentials,” he adds.

Opportunistic scammers leverage COVID-19

In recent weeks, cybersecurity researchers have sounded the alarm regarding a rapid proliferation in scams seeking to leverage coronavirus fears.

Last week, U.K. county regulators warned that scammers were impersonating the Center for Disease Control and Prevention and the World Health Organization to redirect victims to malicious links or to fraudulently receive donations as Bitcoin (BTC).

At the start of March, a screen lock attack circulating under the guise of installing a thermal map tracking the spread of coronavirus called ‘CovidLock’ was identified.

Tags
Altcoin
Mining
Monero
Malware
Cryptojacking
Related Posts
Botnet Exploits SQL Servers to Install Crypto Mining App
Recent reports revealed that a group of hackers behind the Kingminer botnet targeted vulnerable Microsoft SQL server databases to mine cryptocurrencies at some point in the second week of June. According to the cybersecurity firm Sophos, the attackers used the botnet, active since 2018, to exploit the BlueKeep and EternalBlue vulnerabilities, by also accessing through a trojan known as Gh0st, which relies on a remote access malware. Once the SQL server database is infected, the botnet installs a well-known crypto miner software called XMRig, which mines Monero (XMR). There are no details as of press time regarding how many systems …
Altcoin / June 10, 2020
Interpol Collaborates With Cybersecurity Firm to Tackle Cryptojacking
Interpol has collaborated with cybersecurity firm Trend Micro to reduce cryptojacking affecting MikroTik routers across South-East Asia, according to a Jan. 8 press release. Though the collaboration reduced the number of affected devices by 78 percent, this is unlikely to have made a significant impact on mining hashrate. Cryptojacking is a malicious practice where attackers infect common devices with crypto mining malware, utilizing the victim’s resources to mine cryptocurrency. Cybersecurity firm Trend Micro collaborated with Interpol’s Global Complex for Innovation, based in Singapore, to sanitize MikroTik routers infected with mining malware. As part of the “Operation Goldfish Alpha,” Trend Micro …
Altcoin / Jan. 9, 2020
Researchers Find Monero Mining Malware That Hides From Task Manager
Cybersecurity company Varonis has discovered a new cryptojacking virus, dubbed “Norman,” that aims to mine the cryptocurrency Monero (XMR) and evade detection. Varonis published a report about Norman on Aug.14. According to the report, Varonis found Norman as one of many cryptojacking viruses deployed in an attack that infected machines at a mid-size company. Hackers and cybercriminals deploy cryptojacking hardware to use the computing power of unsuspecting users’ machines to mine cryptocurrencies like the privacy oriented coin Monero. Norman in particular is a crypto miner based on XMRig, which is described in the report as a high-performance miner for Monero …
Altcoin / Aug. 14, 2019
Trend Micro Detects Major Uptick in New Strain of XMR Malware Targeting China-Based Systems
Cybersecurity firm Trend Micro has detected a major uptick in monero (XMR) cryptojacking malware targeting China-based systems this spring. The news was revealed in an official Trend Micro announcement on June 5. As previously reported, cryptojacking is an industry term for stealth crypto mining attacks that work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge. The XMR-focused malware — which wields malicious PowerShell scripts for illicit mining activities on Microsoft-based systems — reportedly surged against Chinese targets in mid-May. Hitting a peak on May 22, the wave of cryptojacking …
Altcoin / June 6, 2019
Crypto Miners Dominate Top 10 List of Most Prolific Malware Threats
A global threat report has concluded that the three most common malware variants detected in April were crypto miners, according to a news release on May 14. Check Point Research said Cryptoloot, malware that uses the victim’s computing power to mine for crypto without their knowledge, was last month’s biggest threat. XMRig, open-source software which is used for mining monero (XMR), was in second place. Rounding off the top three was JSEcoin, a JavaScript miner embedded in websites. Despite their prevalence, the company’s researchers believe that criminals are shifting their focus away from crypto mining. Several popular services used to …
Altcoin / May 16, 2019