16 September 2020

Thousands of MSSQL databases have been infected with a new MrbMiner malware


Thousands of MSSQL databases have been infected with a new MrbMiner malware

Over the past few months a hacker group known as MrbMiner has been busy with compromising MSSQL databases and installing a new malware designed to mine Monero cryptocurrency. To date, the group has managed to infect thousands of MSSQL servers, according to a report fr om the Tencent Security team.

The name “MrbMiner” comes from one of the domains used by the group to host their malware. In the discovered campaign the attackers scanned for MSSQL servers available on the internet and then attempted to hack into servers by conducting brute-force attacks using weak passwords.

Once the target is compromised, the hackers would download an initial assm.exe file, which is used to establish a (re)boot persistence mechanism and to add a backdoor account ("Default" and a password of "@fg125kjnhn987") for future access. In the final stage of the infection process an app that mines the Monero (XMR) cryptocurrency is downloaded onto compromised system.

While the researchers detected infections only on MSSQL servers, the MrbMiner command and control server also contained the Linux versions of the malware as well as variants designed to target ARM-based systems. The team says they were able to identify a Monero wallet wh ere the malware generated coins, which contained 3.38 XMR (~$300), suggesting that the Linux versions of the malware also have been deployed in the attacks.

Back to the list

Latest Posts

Healthcare provider UHS hit by a ransomware attack

Healthcare provider UHS hit by a ransomware attack

The cause of the incident is believed to be the Ryuk ransomware.
29 September 2020
Apple fixed four dangerous vulnerabilities in macOS

Apple fixed four dangerous vulnerabilities in macOS

Exploitation of some of the problems allows arbitrary code execution on the system.
28 September 2020
200,000 Businesses are exposed to MitM attacks

200,000 Businesses are exposed to MitM attacks

A successful attack could allow an attacker to present a valid SSL certificate and fraudulently take over a connection.
25 September 2020