Wednesday, May 14, 2025
HomeWindowsWindows Running MS-SQL Servers Under Attack!! Hackers Installing 10 Secret Backdoors on...

Windows Running MS-SQL Servers Under Attack!! Hackers Installing 10 Secret Backdoors on Servers

Published on

SIEM as a Service

Follow Us on Google News

Researchers uncovered a massive attack on Windows running Microsoft SQL servers by a group of hackers using the new wave of long-running attack campaign called Vollgar.

Microsoft SQL Server is a relational database management system developed by Microsoft with 3rd most used Popular Database Platforms deployed in various organization networks around the globe.

This massive long-running attack campaign observed back to 2018 via the honeypot system, since then it was continuously attacking thousand of internet-facing MS-SQL servers for the past two years.

- Advertisement - Google News

Researchers observed that the Vollgar campaign originated in more than 120 IP addresses and the most of the hits comes from China. some of the attacks initiated from the IP’s that are short lived and the couple of IP’s are living more than 3 months.

Shockingly, this Vollgar campaign attacking nearly 3, 000 MS-SQL server daily, and the victims belong to various sectors such as healthcare, aviation, IT & telecommunications and higher education from India, U.S, Turkey, South Korea.

“Threat actors are attempting to various forms of attack including password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multi-functional remote access tools (RATs) and crypto miners”. researchers from Guardicore told GBHackers.

Another interesting fact of this campaign is that the 60% of infected machines remain a short-living period of time and the 20 % of an attack on MS-SQL server remain infected for a long period of a week or more than 2 weeks and 10% of victims are reinfected again and again even after the malware removed by the system admins.

Vulgar Campaign on MS-SQL Server Infection Flaw & Infrastructure

The campaign has started with the powerful brute force login attempts on MS-SQL servers, as the result of successful attempts will let them moved ahead to perform various alterations in the configuration that creates a possibility to execute arbitrary commands.

During the period of attack, actors added a feature that eliminates the other actors of the targeted system and ensuring their only presence and gets the most resources, such as bandwidth and CPU power.

To avoid the failed attempts, actors written two VB scripts including one FTP script that can be downloaded over HTTP and the downloaders are executed from a different location each time.

Researchers gathered multiple pieces of evidence that show the main CNC server originated from China and 10 different backdoor’s are used to access the system, read the files, performing the registry modification, download and execute the scripts.

According to Guardicore report ” we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP. “

Implanting Multiple RAT Modules in MS-SQL Server

There are two initial Droppers ( SQLAGENTIDC.exe or SQLAGENTVDC.exe ) that were used to kill the several long listing processes ( Rnaphin.exexmr.exe, and winxmr.exe ) using taskkill to gain the more computer resource by eliminates the competitors.

Attack Flaw (Source: Guardicore)

Later, the loader executes its copy that connects to the C2 server and checking the new process and queries Baidu Maps to obtain the victim’s IP and geolocation and send the collected details. 

Infection flaw drops the few more additional payloads that are RAT modules and an XMRig-based crypto miner on the victim’s machine.

RAT modules are using different ports including 222519383 and 3213 to connect the C2 Server to eliminates the redundancy and down.

Thus, Threat actors  mining both Monero and an alt-coin named VDS, or Vollar which is combining elements of Monero and Ethereum.

Network admins are encourage to not expose MS-SQL database servers to the internet and enabling logging in order to monitor and alert on suspicious, unexpected or recurring login attempts.

You can share your thoughts about the article via  Twitter,  Facebook and Linkedin page also get the Daily cyber security & hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Microsoft Patch Tuesday May 2025 Released With the Fixes for 72 Flaws With 5 Actively Exploited 0-Day

Microsoft has released its May 2025 Patch Tuesday updates, addressing 72 security vulnerabilities across...

Ivanti Released Security Updates to Fix for the Mutiple RCE Vulnerabilities – Patch Now

Ivanti, a leading enterprise software provider, has released critical security updates addressing vulnerabilities across...

Fortinet FortiVoice Zero-day Vulnerability Actively Exploited in The Wild

A critical stack-based buffer overflow vulnerability (CWE-121) has been discovered in multiple Fortinet products,...

Ransomware Attacks Surge by 123% Amid Evolving Tactics and Strategies

The 2025 Third-Party Breach Report from Black Kite highlights a staggering 123% surge in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

PupkinStealer Targets Windows Users to Steal Browser Login Credentials

A newly identified information-stealing malware dubbed PupkinStealer has emerged as a significant threat to...

Defendnot: A Tool That Disables Windows Defender by Registering as Antivirus

Cybersecurity developers have released a new tool called "defendnot," a successor to the previously...

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...