Researchers security discovered a new malware (they named it MrbMiner) that aims MSSQL servers and installs cryptominer.
A new distribution gang malware has been particularly active in recent months and has managed to breach thousands Microsoft SQL Servers (MSSQL) and install one cryptominer. According to researchers of the Chinese company Tencent, thousands of bases data MSSQL are infected with cryptominer.
Earlier this month, Tencent released a report in which he was talking about that malware gang. The researchers named them hackers MrbMiner, borrowing the name of the domains, used by criminals to host their malware.
According to the researchers, for the spread of the botnet, it was done scan to Internet for vulnerable MSSQL servers. Then it was done brute-force attacks in order to gain access to the administrator account.
After the initial login, the hackers downloaded one assm.exe file, which they used to create a “(re) boot persistence mechanism”And add one backdoor account for future access. According to the researchers, this account has the username "Default" and password "@ fg125kjnhn987."
The infection process is completed with connect to the command and control server and download a crypto-miner application stealing Monero (XMR), using illegal server resources and creating XMR currencies in accounts controlled by them hackers.
The researchers found that malware could also target Linux and ARM
Tencent Security researchers say they have so far only seen MSSQL databases infected. However, they found that the MrbMiner C&C server contained malware versions designed to target Linux servers and ARM-based systems.
Analysis of the Linux version showed that there was a Monero wallet with cryptocurrencies. The address contained 3,38 XMR (~ $ 300). This means that MrbMiner gang has also targeted Linux systems and has stolen money, although investigators have not found even more information about them attacks.
As we read on ZDNet, the Monero wallet used for the MbrMiner version targeting MSSQL servers had 7 XMR (~ $ 630) stored. One could say that these amounts are very small. However, we do not know if they represent the total amount they have stolen hackers, as crypto-mining gangs use many different addresses (wallets).
At the moment, system administrators must scan their MSSQL databases to check if there is a backdoor account with credentials: Default / @ fg125kjnhn987. If they find such a thing, they should immediately check the whole network.