Over the past few months a hacker group known as MrbMiner has been busy with compromising MSSQL databases and installing a new malware designed to mine Monero cryptocurrency. To date, the group has managed to infect thousands of MSSQL servers, according to a report fr om the Tencent Security team.
The name “MrbMiner” comes from one of the domains used by the group to host their malware. In the discovered campaign the attackers scanned for MSSQL servers available on the internet and then attempted to hack into servers by conducting brute-force attacks using weak passwords.
Once the target is compromised, the hackers would download an initial assm.exe file, which is used to establish a (re)boot persistence mechanism and to add a backdoor account ("Default" and a password of "@fg125kjnhn987") for future access. In the final stage of the infection process an app that mines the Monero (XMR) cryptocurrency is downloaded onto compromised system.
While the researchers detected infections only on MSSQL servers, the MrbMiner command and control server also contained the Linux versions of the malware as well as variants designed to target ARM-based systems. The team says they were able to identify a Monero wallet wh ere the malware generated coins, which contained 3.38 XMR (~$300), suggesting that the Linux versions of the malware also have been deployed in the attacks.