New MrbMiner malware infected thousands of MSSQL DBs

Pierluigi Paganini September 16, 2020

A threat actor is launching brute-force attacks on MSSQL servers in the attempt to access them to install a new crypto-mining malware dubbed MrbMiner.

A group of hackers is launching brute-force attacks on MSSQL servers with the intent to compromise them and install crypto-mining malware dubbed MrbMiner.

According to security firm Tencent, the team of hackers has been active over the past few months by hacking into Microsoft SQL Servers (MSSQL) to install a crypto-miner.

“Tencent Security Threat Intelligence Center detected a new type of mining Trojan family MrbMiner. Hackers blasted in through the weak password of the SQL Server server. After successful blasting, they released the Trojan horse assm.exe written in C# on the target system, and then downloaded and maintained the Monero mining Trojan. Mining process.” continues the post.

The hackers used a botnet to target thousands of MSSQL installations.

The name of the malware gang, MrbMiner, comes after one of the domains used by the group to host their malicious code.

Once the hackers gained access to a system, they downloaded an initial assm.exe file to achieve persistence and to add a backdoor account for future access. Tencent researchers observed the use of an account with the username “Default” and a password of “@fg125kjnhn987.”

Upon creating the account, the malicious code connects to the C2 to download a Monero (XMR) cryptocurrency miner that runs on the local server.

The Monero wallet used for the MbrMiner version deployed on MSSQL servers contained 7 XMR (~$630).

One of the most interesting aspects of this new wave of attacks is that the researchers discovered on the C&C server variant of the MrbMiner malware designed to target Linux servers and ARM-based systems.

Anyway, at the time, Tencent security experts only observed attacks on MSSQL servers, but the analysis of the Linux version revealed a Monero wallet containing 3.38 XMR (~$300), suggesting that the Linux versions were also employed in the campaign.

“Tencent security experts also discovered a mining Trojan based on the Linux platform and the ARM platform on the attacker’s FTP server ftp[:]//” continues the analysis.

The researchers published the Indicators of Compromise for this campaign. Experts recommend administrators check their MSSQL servers for the presence of the Default/@fg125kjnhn987 account.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MrbMiner)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment