Thursday, February 25, 21:08
Home security MrbMiner malware: It has infected thousands of MSSQL databases

MrbMiner malware: It has infected thousands of MSSQL databases

Researchers security discovered a new malware (they named it MrbMiner) that aims MSSQL servers and installs cryptominer.

MrbMiner malware MSSQL servers
MrbMiner malware: It has infected thousands of MSSQL servers with cryptominer

A new distribution gang malware has been particularly active in recent months and has managed to breach thousands Microsoft SQL Servers (MSSQL) and install one cryptominer. According to researchers of the Chinese company Tencent, thousands of bases data MSSQL are infected with cryptominer.

Earlier this month, Tencent released a report in which he was talking about that malware gang. The researchers named them hackers MrbMiner, borrowing the name of the domains, used by criminals to host their malware.

According to the researchers, for the spread of the botnet, it was done scan to Internet for vulnerable MSSQL servers. Then it was done brute-force attacks in order to gain access to the administrator account.

After the initial login, the hackers downloaded one assm.exe file, which they used to create a “(re) boot persistence mechanism”And add one backdoor account for future access. According to the researchers, this account has the username "Default" and password "@ fg125kjnhn987."

The infection process is completed with connect to the command and control server and download a crypto-miner application stealing Monero (XMR), using illegal server resources and creating XMR currencies in accounts controlled by them hackers.

MrbMiner malware: It has infected thousands of MSSQL servers with cryptominer

The researchers found that malware could also target Linux and ARM

Tencent Security researchers say they have so far only seen MSSQL databases infected. However, they found that the MrbMiner C&C server contained malware versions designed to target Linux servers and ARM-based systems.

Analysis of the Linux version showed that there was a Monero wallet with cryptocurrencies. The address contained 3,38 XMR (~ $ 300). This means that MrbMiner gang has also targeted Linux systems and has stolen money, although investigators have not found even more information about them attacks.

As we read on ZDNet, the Monero wallet used for the MbrMiner version targeting MSSQL servers had 7 XMR (~ $ 630) stored. One could say that these amounts are very small. However, we do not know if they represent the total amount they have stolen hackers, as crypto-mining gangs use many different addresses (wallets).

At the moment, system administrators must scan their MSSQL databases to check if there is a backdoor account with credentials: Default / @ fg125kjnhn987. If they find such a thing, they should immediately check the whole network.


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


Google is funding two developers to focus on Linux security

Linux is more secure than most operating systems, but that does not mean that its security can be taken for granted ....

AI can write a university paper in 20 minutes

AI can do many things extremely well. Something that can do relatively well is to write a university ...

Kali Linux 2021.1 has been released with new features!

Kali Linux closed last year with the release of v2020.4. The manufacturer Offensive Security has now announced a new ...

NASA's Perseverance sends new image from landing on Mars

One of the most important achievements in space exploration in recent years is the landing of the Perseverance rover on its surface ...

Google: Switch to the new Pay app to access it

Last year, the Google Pay application released a new updated interface, however many users did not choose it and remained in the old one, since they had ...

US Federal Reserve: Where does the shutdown come from?

On February 24, the US Federal Reserve (FED) suffered extensive interruptions in many of its payment services, including a system in which ...

USA: SolarWinds hackers "hit" NASA and FAA!

NASA and the US Federal Aviation Administration (FAA) have been cyber-attacked by hackers who "hit" SolarWinds, according to a report ...

Australia: Facebook and Google will pay for the news

We have recently witnessed a dispute between Facebook and Australia over news content on the platform. And...

The "Valheim" survival game sold four million copies in three weeks

It has only been three weeks since Iron Gate Studio, a group of five people in Sweden, released Valheim and ...

Spotify: Tests new library UI and lyrics sharing

Spotify seems to be testing a new UI on Android that will make it easier to navigate your content. The new interface combines ...