MrbMiner Malware: Infected Thousands of MSSQL Databases

Thousands of MSSQL Databases has been infected with crypto-mining malware. Thousands of MSSQL Databases has been infected with crypto-mining malware. Hackers brute-forcing for weak passwords then install crypto-mining malware MrbMiner.

According to Chinese Tech Giant Tencent, The team of hackers has been active over the past few months by launching various attacks against Microsoft SQL Servers (MSSQL) to install crypto-miner.

“Tencent Security Threat Intelligence Center detected a new type of mining Trojan family MrbMiner. Hackers blasted in through the weak password of the SQL Server server. After successful blasting, they released the Trojan horse assm.exe written in C# on the target system, and then downloaded and maintained the Monero mining Trojan. Mining process.” continues the post.

When the attacker has gained a foothold on a system, they download the assm.exe file which they would use to establish a persistence mechanism and add a backdoor for future access. The attacker used the botnet to infect thousands of MSSQL installations. Tencent observed the use of an account with the username “Default” and a password of “@fg125kjnhn987.”.

It creates an account and connects to C2 to download Monero (XMR) cryptocurrency miner that runs on the local server. The Monero wallet where the malware generated funds found contained 3.38 XMR (~$300) suggesting that the Linux versions were also being actively distributed, although these attacks remain unknown for now. The Monero wallet used for the MbrMiner version deployed on MSSQL servers stored 7 XMR (~$630).

One of the interesting aspects of these attacks that the researchers discovered on the C&C server that they were designed to target Linux servers and ARM-based systems.

“Tencent security experts also discovered a mining Trojan based on the Linux platform and the ARM platform on the attacker’s FTP server ftp[:]//” continues the analysis.

Researchers recommend administrators to check their MSSQL servers for the presence of these credentials “Default/@fg125kjnhn987”.

Source: The Hack Today

Leave a Reply