New MrbMiner malware infected thousands of MSSQL DBs

A threat actor is launching brute-force attacks on MSSQL servers in the attempt to access them to install a new crypto-mining malware dubbed MrbMiner.

A group of hackers is launching brute-force attacks on MSSQL servers with the intent to compromise them and install crypto-mining malware dubbed MrbMiner.

According to security firm Tencent, the team of hackers has been active over the past few months by hacking into Microsoft SQL Servers (MSSQL) to install a crypto-miner.

“Tencent Security Threat Intelligence Center detected a new type of mining Trojan family MrbMiner. Hackers blasted in through the weak password of the SQL Server server. After successful blasting, they released the Trojan horse assm.exe written in C# on the target system, and then downloaded and maintained the Monero mining Trojan. Mining process.” continues the post.

The hackers used a botnet to target thousands of MSSQL installations.

The name of the malware gang, MrbMiner, comes after one of the domains used by the group to host their malicious code.

Once the hackers gained access to a system, they downloaded an initial assm.exe file to achieve persistence and to add a backdoor account for future access. Tencent researchers observed the use of an account with the username “Default” and a password of “@fg125kjnhn987.”

Upon creating the account, the malicious code connects to the C2 to download a Monero (XMR) cryptocurrency miner that runs on the local server.

The Monero wallet used for the MbrMiner version deployed on MSSQL servers contained 7 XMR (~$630).

One of the most interesting aspects of this new wave of attacks is that the researchers discovered on the C&C server variant of the MrbMiner malware designed to target Linux servers and ARM-based systems.

Anyway, at the time, Tencent security experts only observed attacks on MSSQL servers, but the analysis of the Linux version revealed a Monero wallet containing 3.38 XMR (~$300), suggesting that the Linux versions were also employed in the campaign.

“Tencent security experts also discovered a mining Trojan based on the Linux platform and the ARM platform on the attacker’s FTP server ftp[:]//145.239.225.15.” continues the analysis.

The researchers published the Indicators of Compromise for this campaign. Experts recommend administrators check their MSSQL servers for the presence of the Default/@fg125kjnhn987 account.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MrbMiner)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.