MrbMiner Description

A new attack campaign delivering cryptomining malware to Microsoft SQL Servers (MSSQL) has been brought to light. The researchers discovered the activities of a previously unknown hacker group from the cybersecurity division of the Chinese mega-corporation Tencent. They dubbed the hackers MrbMiner, the name of one of the domains used to host the malware. According to the researchers' findings, thousands of MSSQL servers have been compromised already.

The attack begins with the hackers scanning for MSSQL servers and then brute-forcing their way in by trying numerous weak passwords against the server's credentials. If successful, the infection is initiated by first dropping a file named 'assm.exe.' The malware achieves persistence while also establishing a gateway for the hackers by setting up a backdoor account with 'Default' as its username and '@fg125kjnhn987'as the password.

The whole campaign's target is to deliver crypto-mining malware that exploits the resources of the system to generate Monero coins (XMR). By tracking the cryptocurrency wallet for the MSSQL malware variant, the researchers found out that it contained around 7 XMR coins or about $630. However, the MrbMiner group could be using multiple different wallets, which is the usual practice in cryptomining botnet attacks. Furthermore, on the Command-and-Control (C2) server, two more variants of the malware were discovered - one designed to work on Linux servers while the other targets ARM-based computer systems. The Linux malware is being deployed actively as the wallet address for it already had around 3.30 Monero coins sent to it.