A new malware has been prowling the web in the past few months and has infected several Microsoft SQL servers using harmful cryptominers. Recent reports from Tencent technologies have named it ‘MrbMiner’.
The malware was named after one of the domains used by the group as a host. Reportedly, the hazardous botnet surgically scans the web for MS-SQL servers and then makes repeated brute-force attacks to infiltrate them using various weak passwords.
Upon getting access to the system, attackers download the ‘assm.exe’ file, which inserts a boot persistence mechanism into the system, and creates a backdoor to enable future access.
Most importantly, the infection process is completed by connecting to the command and control server and downloading a cryptominer application that steals Monero (XMR) using illegal server resources. Once the connection is complete, hackers generate XMR coins in their crypto wallets.
Each crypto wallet for Monero holds approximately $630. While this is a small amount, hackers are known to use multiple wallets to mine the funds.
Reports from Tencent’s analysts suggest that while the malware has only infected Microsoft servers to-date, there are traces of a code in the software that provides hints on the prospect of future attacks on Linux and ARM servers, too.
Experts have found that MrbMiner hackers create backdoor accounts with the id “Default” and the password “@fg125kjnhn987”. An efficient way to discover an MrbMiner hack is to check for a computer profile with these aforementioned credentials. In case such profiles exist, a full system audit seems necessary.