New MrbMiner malware has infected thousands of MSSQL databases


Image: Caroline Grondin, Microsoft, ZDNet

A new malware gang has made a name for itself over the past few months by hacking into Microsoft SQL Servers (MSSQL) and installing a crypto-miner.

Thousands of MSSQL databases have been infected so far, according to the cybersecurity arm of Chinese tech giant Tencent.

In a report published earlier this month, Tencent Security has named this new malware gang MrbMiner, after one of the domains used by the group to host their malware.

The Chinese company says the botnet has exclusively spread by scanning the internet for MSSQL servers and then performing brute-force attacks by repeatedly trying the admin account with various weak passwords.

Once the attackers gained a foothold on a system, they downloaded an initial assm.exe file, which they used to establish a (re)boot persistence mechanism and to add a backdoor account for future access. Tencent says this account uses the username “Default” and a password of “@fg125kjnhn987.”

The last step of the infection process was to connect to the command and control server and download an app that mines the Monero (XMR) cryptocurrency by abusing local server resources and generating XMR coins into accounts controlled by the attackers.

Linux and ARM variants also discovered

Tencent Security says that while they saw only infections on MSSQL servers, the MrbMiner C&C server also contained versions of the group’s malware written to target Linux servers and ARM-based systems.

After analyzing the Linux version of the MrbMiner malware, Tencent experts said they identified a Monero wallet where the malware generated funds.

The address contained 3.38 XMR (~$300), suggesting that the Linux versions were also being actively distributed, although details about these attacks remain unknown for now.

The Monero wallet used for the MbrMiner version deployed on MSSQL servers stored 7 XMR (~$630). While the two sums are small, crypto-mining gangs are known to use multiple wallets for their operations, and the group has most likely generated much larger profits.

For now, what system administrators need to do is to scan their MSSQL servers for the presence of the Default/@fg125kjnhn987 backdoor account. In case they find systems with this account configured, full network audits are recommended.